# REPRO-2026-00072: Apache bRPC: Remote Command Injection in Heap Profiler

## Summary
Status: published
Severity: high
Type: security
Confidence: Unknown

## Identifiers
REPRO ID: REPRO-2026-00072

CVE: CVE-2025-60021

## Package
Name: brpc
Ecosystem: cpp
Affected: 1.11.0 to <1.15.0
Fixed: 1.15.0

## Root Cause
# Root Cause Analysis - CVE-2025-60021

## Summary
Apache bRPC versions 1.11.0 through 1.14.x allow remote command injection via the built-in `/pprof/heap` endpoint when jemalloc profiling is enabled. The handler concatenates the user-controlled `extra_options` query parameter directly into a shell command used to invoke `jeprof`, and the command is executed through `popen`, allowing shell metacharacters to execute arbitrary commands.

## Impact
- **Component:** `src/brpc/details/jemalloc_profiler.cpp` (jemalloc heap profiler endpoint `/pprof/heap`)
- **Affected versions:** 1.11.0 to <1.15.0
- **Risk level:** Important — remote command execution as the service user, enabling data exfiltration and lateral movement.

## Root Cause
The heap profiler handler builds a command line for `jeprof` and appends the `extra_options` query parameter without validation:
- Vulnerable code (1.14.1): `cmd_str += " --" + *uri_extra_options + " ";`
- The command is executed via `butil::read_command_output`, which uses `popen()` (`/bin/sh -c`), so shell metacharacters in `extra_options` are interpreted.

The fix in 1.15.0 introduces a whitelist of allowed `extra_options` values and ignores unsupported inputs, preventing shell metacharacter injection. See PR https://github.com/apache/brpc/pull/3101.

## Reproduction Steps
1. Run `repro/reproduction_steps.sh`.
2. The script builds bRPC 1.14.1 and 1.15.0, starts the echo server with jemalloc profiling enabled, then issues crafted `/pprof/heap` requests.
3. Expected evidence: `uid=...` appears in `logs/vuln_response.txt` for 1.14.1 and is absent in `logs/fixed_response.txt` for 1.15.0.

## Evidence
- Vulnerable response (1.14.1): `logs/vuln_response.txt`
  - `uid=0(root) gid=0(root) groups=0(root)` (line 82)
- Fixed response (1.15.0): `logs/fixed_response.txt`
  - No `uid=` output present.
- Build and runtime logs:
  - `logs/echo_server_vuln.log`
  - `logs/echo_server_fixed.log`

Environment details:
- Ubuntu with system dependencies installed via `apt-get`.
- jemalloc enabled via `MALLOC_CONF=prof:true` and `LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so.2`.

## Recommendations / Next Steps
- Upgrade to bRPC 1.15.0 or apply the whitelist patch from PR #3101.
- Consider avoiding shell execution entirely (pass arguments directly to `execve` without shell) for any future tooling.
- Add regression tests for `/pprof/heap` to ensure only approved options are accepted.

## Additional Notes
- Idempotency verified: `repro/reproduction_steps.sh` executed twice successfully.
- The exploit only applies when jemalloc profiling is enabled and `/pprof/heap` is reachable.

## Reproduction Details
Reproduced: 2026-01-21T06:18:18.719Z
Duration: 2873 seconds
Tool calls: 503
Turns: Unknown
Handoffs: 4

## Timeline (Key Moments)
1. [env_setup] Cloning brpc repository (repro)
   Agent clones the Apache bRPC repository to analyze the vulnerable code and prepare for reproduction testing.
2. [vuln_analysis] Analyzing the security fix (repro)
   Agent diffs version 1.14.1 (vulnerable) against 1.15.0 (fixed) to understand how command injection via extra_options parameter was patched by adding whitelist validation.
3. [vuln_triggered] Command injection confirmed (repro)
   Injected shell command via extra_options parameter successfully executes - curl request with ";id;" payload returns "uid=0(root) gid=0(root)" proving remote command execution.
4. [poc_created] Reproduction script written (repro)
   Agent writes comprehensive reproduction_steps.sh that builds vulnerable and fixed versions, tests command injection, and validates the fix prevents exploitation.

## Quick Verification
Run one of these commands to verify locally:

    pruva-verify REPRO-2026-00072

    pruva-verify CVE-2025-60021

Or open in GitHub Codespaces (zero-friction, auto-runs):

    https://github.com/codespaces/new?ref=repro/REPRO-2026-00072&repo=N3mes1s/pruva-sandbox

Or download and run the script manually:

    curl -O https://api.pruva.dev/v1/reproductions/REPRO-2026-00072/artifacts/repro/reproduction_steps.sh
    chmod +x reproduction_steps.sh
    ./reproduction_steps.sh

WARNING: Run in a sandboxed environment. This exploits a real vulnerability.

## References

- NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-60021
- Source: https://lists.apache.org/thread/xy51d2fx6drzhfp92xptsx5845q7b37m

## Artifacts
- repro/reproduction_steps.sh (reproduction_script, 3871 bytes)
- repro/rca_report.md (analysis, 2637 bytes)
- coding/proposed_fix.diff (patch, 3212 bytes)
- bundle/ticket.md (ticket, 1884 bytes)
- coding/summary_report.md (documentation, 912 bytes)
- coding/verify_fix.sh (other, 525 bytes)
- logs/memory.json (other, 478 bytes)
- logs/repro_tool_calls.json (other, 254393 bytes)

## API Access
- JSON: https://api.pruva.dev/v1/reproductions/REPRO-2026-00072
- Script: https://api.pruva.dev/v1/reproductions/REPRO-2026-00072/artifacts/repro/reproduction_steps.sh
- Web: https://pruva.dev/r/REPRO-2026-00072

## For AI Assistants
To help users with this reproduction:
1. The `pruva-verify` command is the simplest way to run the reproduction
2. The script downloads and runs automatically in an isolated temp directory
3. Always recommend running in a VM, container, or disposable environment
4. The root cause explains the technical vulnerability

---
Generated by Pruva | https://pruva.dev