A CyberArk Labs research team has identified a critical flaw in the widely used Apache bRPC framework, which allows remote command execution on a server. The security issue has been classified as CVE-2025-60021 and has a CVS severity rating of 9.8.
The vulnerability was discovered in the heap profiler URL /pprof/heap using Vulnhalla , an AI-based tool developed by CyberArk Labs to analyze CodeQL’s static analyzer output. The issue affected all Apache bRPC versions prior to 1.15.0.
The vulnerability was that the profiling service failed to validate the extra_options user parameter before including it in the jeprof command line .
Apache bRPC is a high-performance open-source C++ library that helps developers build backend services that communicate via RPC (remote procedure call).
The framework is widely used for building microservice architectures, where many small services constantly communicate with each other. For debugging and troubleshooting in production, Apache bRPC includes built-in HTTP URLs such as /pprof/*, which return various diagnostic information, such as CPU profiles, memory snapshots, and other execution statistics.
Before the patch, this parameter was simply added to the command in the format — . Since this command was then executed to generate the profiling results, special shell characters in the attacker-controlled input could modify the executed command, causing command injection.
While profiling URLs are typically intended for internal use, they can be exposed publicly due to misconfiguration. At the time of writing, the Shodan search engine showed 181 publicly accessible /pprof/heap URLs and a total of 790 /pprof/* URLs.
Apache fixed this issue in bRPC 1.15.0 by restricting the extra_options parameter to a small whitelist of supported jeprof options, preventing untrusted input from being passed to the executed command. Users are advised to upgrade to Apache bRPC 1.15.0 or apply the patch from pull request #3101 if an immediate upgrade is not possible.
Interestingly, the vulnerability was discovered using Vulnhalla, a tool that runs CodeQL at scale and applies a sorting layer based on a large language model to prioritize results most likely to be exploited. In this case, Vulnhalla flagged the issue as a vulnerability, triggering a manual review to confirm the finding.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
