Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN043
_____________________________________________________________________

DATE                : 16/01/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache bRPC versions prior
                                      to 1.15.0.

=====================================================================
https://lists.apache.org/thread/xy51d2fx6drzhfp92xptsx5845q7b37m
_____________________________________________________________________


CVE-2025-60021: Apache bRPC: Remote command injection vulnerability
in heap builtin service

Severity: important 

Affected versions:

- Apache bRPC 1.11.0 before 1.15.0

Description:

Remote command injection vulnerability in heap profiler builtin service
in Apache bRPC ((all versions < 1.15.0)) on all platforms allows
attacker to inject remote command.


Root Cause: The bRPC heap profiler built-in service (/pprof/heap) does
not validate the user-provided extra_options parameter and executes it
as a command-line argument. Attackers can execute remote commands using
the extra_options parameter..

Affected scenarios: Use the built-in bRPC heap profiler service to
perform jemalloc memory profiling.

How to Fix: we provide two methods, you can choose one of them:

1. Upgrade bRPC to version 1.15.0.
2. Apply this patch ( https://github.com/apache/brpc/pull/3101 )
manually.

Credit:

Simcha Kosman (reporter)

References:

https://brpc.apache.org
https://www.cve.org/CVERecord?id=CVE-2025-60021


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================