What happened
A remote command injection vulnerability in Apache bRPC’s built-in heap profiler service (heap endpoint /pprof/heap) allows unauthenticated attackers to execute arbitrary system commands with bRPC process privileges on affected deployments. This flaw arises from improper input sanitization of the extra_options parameter, which is passed directly to underlying system command execution without validation. The vulnerability, tracked as CVE-2025-60021, affects all Apache bRPC versions before 1.15.0. An attacker can exploit this by sending crafted requests to the heap profiler endpoint exposed on untrusted networks. Successful exploitation could enable lateral movement, data exfiltration, persistence, or service disruption on compromised systems. Patches addressing the flaw were released in Apache bRPC 1.15.0 and can also be backported manually from the project repository.
Who is affected
Deployments running Apache bRPC < 1.15.0 that expose the heap profiler endpoint to untrusted networks face direct remote attack risk; internal or internet-accessible microservices, APIs, and distributed systems may be impacted.
Why CISOs should care
Remote command injection elevates risk of full system compromise from unauthenticated access, raising operational, data confidentiality, and service availability concerns, particularly for backend infrastructure relying on bRPC.
3 practical actions
- Apply official updates: Upgrade Apache bRPC to 1.15.0 or later to eliminate this attack vector.
- Restrict service exposure: Limit access to the /pprof/heap endpoint using network controls.
- Monitor for unusual activity: Detect anomalous commands and unexpected heap profiler requests in logs and telemetry.