Critical flaw in Apache bRPC exposes debug endpoint

Command injection in Apache bRPC heap profiler

The CyberArk Labs team have identified Apache bRPC users are exposed to a critical command injection flaw in the /pprof/heap endpoint (CVE‑2025‑60021, CVSS 9.8) that enables unauthenticated remote code execution whenever this profiler is reachable.

Critical flaw in Apache bRPC exposes debug endpoint

A critical flaw in Apache bRPC’s /pprof/heap endpoint allows unauthenticated remote code execution on exposed services, researchers warn.

Critical Apache bRPC Flaw Turns Heap Profiling Endpoint Into Remote Code Execution Vector

According to research from Simcha Kosman, a senior cyber researcher at CyberArk Labs, a critical remote code execution flaw in Apache bRPC has put a spotlight on a class of debugging features that quietly sit inside many production systems, rarely scrutinized until something goes wrong.Tracked as CVE-2025-60021 and scored at a near-maximum CVSS 9.8, the vulnerability affects all versions of Apache bRPC prior to 1.15.0. It stems from a command in…