Skip to content
Verified JuiceFS through 1.3.1 exposes debug/metrics endpoints via shared http.DefaultServeMux, enabling authentication bypass and leakage of sensitive metadata connection strings, with potential DoS via profiling handlers.
REPRO-2026-00220 JuiceFS (juicedata/juicefs) · go DoS Jul 3, 2026 .txt
Severity HIGH
Confidence HIGH
Reproduced in 14m 46s
Tool calls 158
Spend $1.92
Affected JuiceFS <= 1.3.1
Fixed in commit a46979cdd4082217081ee99b931ddc53d038e47a
$ pruva-verify REPRO-2026-00220
or curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00220/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh
Run in a VM or disposable container. This exploits a real vulnerability.
02 · The vulnerability

JuiceFS through 1.3.1 contains an authentication bypass in its HTTP debug/metrics handler registration. Because handlers are registered on the shared http.DefaultServeMux, unauthenticated remote attackers can access sensitive /debug/pprof/* and metrics endpoints. The /debug/pprof/cmdline endpoint can leak process command-line arguments that include metadata engine connection strings with database credentials, enabling full read/write access to filesystem metadata. Other pprof handlers leak internal state and profiling handlers can be abused for denial-of-service.

03 · Root cause
Variant analysis
04 · Reproduction transcript

The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.

Loading session...

05 · Artifacts

Scripts, logs, diffs, and output captured during the reproduction.

bundle/ticket.md2.5 KB
bundle/ticket.json3.5 KB
bundle/AGENTS.repro.md0.2 KB
bundle/logs/cmdline-vuln-response.txt0.2 KB
bundle/logs/redis.log2.9 KB
bundle/logs/format.log1.1 KB
bundle/logs/gateway-vuln.log1.6 KB
bundle/logs/gateway-fixed.log1.6 KB
bundle/repro/artifacts/vuln-cmdline-response.txt0.2 KB
bundle/repro/artifacts/vuln-metrics-response.txt75.3 KB
bundle/repro/artifacts/fixed-cmdline-response.txt0.0 KB
bundle/repro/runtime_manifest.json0.7 KB
bundle/repro/validation_verdict.json0.7 KB
bundle/logs/vuln_variant/fixed_version.txt0.3 KB
bundle/logs/vuln_variant/redis.log10.1 KB
bundle/logs/vuln_variant/format.log0.8 KB
bundle/logs/vuln_variant/gateway-vuln.log1.6 KB
bundle/logs/vuln_variant/vuln-debugagent-cmdline.txt0.2 KB
bundle/logs/vuln_variant/vuln-debugagent-cmdline-pretty.txt0.2 KB
bundle/logs/vuln_variant/gateway-fixed.log1.6 KB
bundle/logs/vuln_variant/fixed-debugagent-cmdline.txt0.2 KB
bundle/logs/vuln_variant/fixed-debugagent-cmdline-pretty.txt0.2 KB
bundle/logs/vuln_variant/gateway-fixed-noagent.log1.7 KB
bundle/logs/vuln_variant/variant-run-1.log4.1 KB
bundle/logs/vuln_variant/variant-run-2.log4.1 KB
bundle/logs/vuln_variant/variant-run-3.log0.9 KB
bundle/logs/vuln_variant/variant-run-4.log4.1 KB
bundle/logs/vuln_variant/variant-run-5.log4.1 KB
bundle/logs/vuln_variant/variant-run-6.log4.1 KB
bundle/logs/vuln_variant/variant-run-7.log4.1 KB
bundle/vuln_variant/variant_runtime_result.json0.4 KB
bundle/vuln_variant/patch_analysis.md7.5 KB
bundle/vuln_variant/variant_manifest.json4.1 KB
bundle/vuln_variant/validation_verdict.json2.3 KB
bundle/vuln_variant/source_identity.json1.5 KB
bundle/vuln_variant/runtime_manifest.json2.4 KB
bundle/vuln_variant/root_cause_equivalence.json2.3 KB
bundle/repro/reproduction_steps.sh15.4 KB
bundle/repro/rca_report.md8.2 KB
bundle/vuln_variant/reproduction_steps.sh19.6 KB
bundle/vuln_variant/rca_report.md11.6 KB