CVE-2025-60021 – This CVE describes a remote command injection v... (How to Fix)

Q: How do I fix CVE-2025-60021?

1. Download bRPC version 1.15.0 or later from the official Apache repository. 2. Replace the existing bRPC installation with the patched version. 3. Restart all services using bRPC. 4. Verify the fix by checking that the /pprof/heap endpoint properly validates input.

Q: What is the severity of CVE-2025-60021?

CVE-2025-60021 has a CVSS score of 9.8 (CRITICAL). This CVE describes a remote command injection vulnerability in Apache bRPC's heap profiler service. Attackers can execute arbitrary commands by injecting malicious parameters into the /pprof/heap endpoint. All organizations using bRPC versions before 1.15.0 with the heap profiler enabled are affected.

📋 TL;DR

This CVE describes a remote command injection vulnerability in Apache bRPC's heap profiler service. Attackers can execute arbitrary commands by injecting malicious parameters into the /pprof/heap endpoint. All organizations using bRPC versions before 1.15.0 with the heap profiler enabled are affected.

💻 Affected Systems

Products:

Apache bRPC

Versions: All versions < 1.15.0

Operating Systems: All platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems where the bRPC heap profiler service (/pprof/heap) is enabled and accessible.

📦 What is this software?

Brpc by Apache

View all CVEs affecting Brpc →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attackers to execute arbitrary commands with the privileges of the bRPC process, potentially leading to data theft, ransomware deployment, or complete system takeover.

🟠

Likely Case

Remote code execution leading to unauthorized access, data exfiltration, or deployment of malware/backdoors on affected systems.

🟢

If Mitigated

Limited impact if the heap profiler service is disabled or network access is restricted, though the vulnerability still exists in the codebase.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable without authentication, making internet-facing instances particularly vulnerable to widespread attacks.

🏢 Internal Only: MEDIUM - Internal systems are still vulnerable to insider threats or attackers who have gained network access through other means.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is straightforward to exploit as it involves simple command injection without authentication requirements.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.15.0

Vendor Advisory: https://lists.apache.org/thread/xy51d2fx6drzhfp92xptsx5845q7b37m

Restart Required: Yes

Instructions:

1. Download bRPC version 1.15.0 or later from the official Apache repository. 2. Replace the existing bRPC installation with the patched version. 3. Restart all services using bRPC. 4. Verify the fix by checking that the /pprof/heap endpoint properly validates input.

🔧 Temporary Workarounds

Disable heap profiler service

all

Disable the vulnerable /pprof/heap endpoint to prevent exploitation

Configure bRPC to disable the heap profiler service in your application configuration

Network access restriction

linux

Restrict network access to the bRPC service using firewall rules

iptables -A INPUT -p tcp --dport [BRPC_PORT] -s [TRUSTED_NETWORK] -j ACCEPT
iptables -A INPUT -p tcp --dport [BRPC_PORT] -j DROP

🧯 If You Can't Patch

Disable the heap profiler service immediately in all bRPC configurations
Implement strict network segmentation and firewall rules to limit access to bRPC services

🔍 How to Verify

Check if Vulnerable:

Check if bRPC version is below 1.15.0 and if the /pprof/heap endpoint is accessible and responds to requests.

Check Version:

Check your application's dependency manifest or run your bRPC application with version flag if available

Verify Fix Applied:

After patching, verify that command injection attempts on the /pprof/heap endpoint are rejected and that the service returns version 1.15.0 or higher.

📡 Detection & Monitoring

Log Indicators:

Unusual command execution patterns
Suspicious parameters in /pprof/heap requests
Unexpected process spawns from bRPC service

Network Indicators:

HTTP requests to /pprof/heap with shell metacharacters or command injection payloads
Unusual outbound connections from bRPC service

SIEM Query:

source="bRPC" AND (url_path="/pprof/heap" AND (param="extra_options" CONTAINS "|" OR param="extra_options" CONTAINS ";" OR param="extra_options" CONTAINS "`"))

📊 Metadata

CVE ID: CVE-2025-60021

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

EPSS Score: 0.23% exploit probability (45.7th percentile)

Published: January 16, 2026

Last Updated: January 21, 2026

🔗 References

https://lists.apache.org/thread/xy51d2fx6drzhfp92xptsx5845q7b37m Mailing List,Vendor Advisory
http://www.openwall.com/lists/oss-security/2026/01/16/4 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-60021, you might also want to check these: