Summary
Apache bRPC versions prior to 1.15.0 contain a critical remote command injection vulnerability (CVE-2025-60021) in the heap profiler service. Attackers can exploit unvalidated input in the extra_options parameter to execute arbitrary commands and gain full system control.
Take Action:
If you are using Apache bRPC, make sure all bRPC instances are isolated from the internet and accessible from trusted networks only. Disable the heap profiler service to prevent attackers from running remote commands on your servers and plan a quick upgrade to version 1.15.0.
Read the full article on BeyondMachines
This article was originally published on BeyondMachines
Top comments (0)