Remote Command Injection in Apache bRPC /pprof/heap Heap Profiler
CVE-2025-60021 is a remote command injection vulnerability in Apache bRPC’s built-in heap profiler service, specifically the /pprof/heap endpoint, affecting all versions prior to 1.15.0 on all platforms. The flaw exists because the endpoint does not properly validate or sanitize the user-controlled extra_options parameter before passing it as a command-line argument during jemalloc heap profiling operations. As a result, shell metacharacters or other crafted input can alter the intended command execution flow and cause arbitrary system commands to be executed. The issue is relevant in deployments that use the built-in bRPC heap profiler service for jemalloc memory profiling and have the vulnerable endpoint reachable by an attacker.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).
Repository contains a single Python proof-of-concept exploit (`CVE-2025-60021.py`) and a descriptive `README.md`. - Primary capability: unauthenticated remote command execution against Apache bRPC’s heap profiler builtin service by injecting shell syntax into the `extra_options` query parameter on the `/pprof/heap` endpoint. The script constructs a URL of the form `<target>/pprof/heap?extra_options=; <cmd> #` and sends an HTTP GET request using `requests` with TLS verification disabled. - Operator control: the command is fully user-supplied via CLI (`target` and `cmd` positional args). No built-in reverse shell is embedded, but arbitrary commands can be provided. - Output/feedback: success is inferred from HTTP 200; response body is printed if non-empty, otherwise the user is instructed to check logs/listeners. Structure/purpose: - `CVE-2025-60021.py`: entry point PoC exploit script (argparse CLI) implementing the injection and request. - `README.md`: vulnerability overview, affected versions claim (< 1.15.0), endpoint details (`/pprof/heap`, `extra_options`), and references. It also includes usage guidance (partially truncated in provided content).
Repository contains a small, standalone Python proof-of-concept exploit for CVE-2025-60021 (Apache bRPC heap profiler builtin service command injection) plus a detailed README. Structure: - CVE-2025-60021.py: Entry-point script using argparse + requests. It builds a URL to the bRPC profiling endpoint /pprof/heap and injects a shell command into the extra_options query parameter using the payload pattern '; {command} #'. It sends an unauthenticated HTTP GET request (TLS verification disabled) and reports success heuristically on HTTP 200, optionally printing response body as potential command output. - README.md: Explains affected product/versions (<1.15.0), the vulnerable endpoint (/pprof/heap), the injection parameter (extra_options), and provides usage guidance and references. Main exploit capabilities: - Unauthenticated network-based RCE against exposed vulnerable bRPC instances by leveraging unsanitized extra_options handling in the heap profiler endpoint. - Operator-supplied arbitrary command execution (no built-in post-exploitation beyond printing response/output). Notable targeting/fingerprinting indicators: - Requests to /pprof/heap with an extra_options query parameter containing shell metacharacters (e.g., leading ';' and trailing '#') are strong indicators of exploitation attempts.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
33 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A critical command injection vulnerability in Apache bRPC’s /pprof/heap endpoint that can lead to remote code execution by injecting shell metacharacters via an unvalidated parameter.
A critical command injection vulnerability in Apache bRPC’s /pprof/heap profiling endpoint where the user-controlled extra_options parameter is appended to a shell command, enabling remote code execution when the endpoint is reachable.
Unknown
Remote command injection / unauthenticated remote code execution in Apache bRPC’s built-in heap profiler (jemalloc profiling) via unsanitized extra_options passed to system command execution on the /pprof/heap endpoint.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.