CVE-2025-60021

Published Jan 16, 2026

Last updated 4 days ago

CVSS critical 9.8
Apache bRPC

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-60021 is identified as a remote command injection vulnerability affecting Apache bRPC, an industrial-grade C++ RPC framework. This flaw resides within the heap profiler built-in service, specifically impacting the `/pprof/heap` endpoint. The vulnerability stems from insufficient input validation, where the `extra_options` parameter, provided by the user, is executed as a command-line argument without proper sanitization. This oversight allows an attacker to inject and execute remote commands on the server. The affected versions of Apache bRPC are 1.11.0 through those prior to 1.15.0, across all platforms.

Description
Remote command injection vulnerability in heap profiler builtin service in Apache bRPC ((all versions < 1.15.0)) on all platforms allows attacker to inject remote command. Root Cause: The bRPC heap profiler built-in service (/pprof/heap) does not validate the user-provided extra_options parameter and executes it as a command-line argument. Attackers can execute remote commands using the extra_options parameter.. Affected scenarios: Use the built-in bRPC heap profiler service to perform jemalloc memory profiling. How to Fix: we provide two methods, you can choose one of them: 1. Upgrade bRPC to version 1.15.0. 2. Apply this patch ( https://github.com/apache/brpc/pull/3101 ) manually.
Source
security@apache.org
NVD status
Undergoing Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

security@apache.org
CWE-77

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

21

  1. Apache bRPCにコマンドインジェクション脆弱性(CVE-2025-60021) https://t.co/m9IjBh9yeI #セキュリティ対策Lab #セキュリティ #Security

    @securityLab_jp

    20 Jan 2026

    58 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 🚨Alert🚨 CVE-2025-60021 (CVSS 9.8): Remote Command Injection Vulnerability in Heap Profiler Builtin Service in Apache bRPC. It affects versions before 1.15.0. 📊 22.5K Services are found on the https://t.co/ysWb28BTvF yearly. 🔗Hunter Link:https://t.co/1EyT4DxTk7 👇Que

    @HunterMapping

    20 Jan 2026

    974 Impressions

    4 Retweets

    20 Likes

    6 Bookmarks

    1 Reply

    0 Quotes

  3. 🚨Alert🚨 CVE-2025-60021 (CVSS 9.8): Remote Command Injection Vulnerability in Heap Profiler Builtin Service in Apache https://t.co/VAB0iaZDa2 affects versions before 1.15.0. 📊 22.5K Services are found on the https://t.co/ysWb28BTvF yearly. 🔗Hunter Link:https://t.co/1Ey

    @HunterMapping

    20 Jan 2026

    40 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. 🚨 Apache bRPC RCE Flaw Lets Attackers Inject Commands via /pprof/heap (CVE-2025-60021) A command-injection bug in Apache bRPC’s built-in heap profiler endpoint (`/pprof/heap`) lets attackers abuse the unvalidated `extra_options` parameter to execute arbitrary system command

    @ThreatSynop

    20 Jan 2026

    43 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. 🚨 Apache bRPC RCE Flaw Lets Attackers Inject Commands via /pprof/heap (CVE-2025-60021) A command-injection bug in Apache bRPC’s built-in heap profiler endpoint (`/pprof/heap`) lets attackers abuse the unvalidated `extra_options` parameter to execute arbitrary system commands

    @ThreatSynop

    20 Jan 2026

    26 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. CVE-2025-60021 Apache bRPC - Remote Command Injection JeControlProfile Controller &gt; uri_extra_options &gt; cmd_str *uri_extra_options &gt; read_command_output &gt; read_command_output_through_popen &gt; popen https://t.co/14rkc7qy58 https://t.co/Dgg3tmRVkJ #hawktrace #c

    @hawktrace

    19 Jan 2026

    260 Impressions

    8 Retweets

    12 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. 🚨Critical Apache bRPC Vulnerability Allows Remote Command Injection (CVE-2025-60021) 🔗 https://t.co/bqmNCfRA4n #cybersecurity #infosec #hacking https://t.co/s37jDmD0RV

    @zerodaywire

    19 Jan 2026

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. 🚨 CVE-2025-60021 (CVSS 9.8): Apache bRPC: Remote command injection vulnerability in heap builtin service Apache bRPC is vulnerable to remote command injection. Untrusted input in the heap profiler's extra_options parameter allows attackers to execute arbitrary commands via th

    @zoomeye_team

    19 Jan 2026

    15684 Impressions

    53 Retweets

    152 Likes

    84 Bookmarks

    1 Reply

    1 Quote

  9. 🚨 CVE-2025-60021 (CVSS 9.8): Apache bRPC: Remote command injection vulnerability in heap builtin service Apache bRPC is vulnerable to remote command injection. Untrusted input in the heap profiler's extra_options parameter allows attackers to execute arbitrary commands via th

    @zoomeye_team

    19 Jan 2026

    20 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. CVE-2025-60021: Apache bRPCの脆弱性によりリモートコマンドインジェクションが可能に CVE-2025-60021: Apache bRPC Flaw Opens Door to Remote Command Injection #DailyCyberSecurity (Jan 17) https://t.co/lfvAdydxlP

    @foxbook

    18 Jan 2026

    312 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. 🚨 خطر في Apache bRPC: ثغرة تسمح بالتحكم عن بعد Apache أصدروا تحديث مهم لإصلاح ثغرة في bRPC، وهو إطار عمل C++ يستخدم في أنظمة كبيرة. الثغرة CVE-2025-60021 تسمح للمهاجم بتنفيذ

    @MisbarSec

    18 Jan 2026

    74 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  12. How Apache bRPC’s Performance Tools Grant Unauthenticated Root Access (CVE-2025-60021) Read the full report on - https://t.co/vkoVhOS5AE https://t.co/RCUMxm6LcD

    @Iambivash007

    17 Jan 2026

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. Apache bRPC flaw opens door to remote command injection: CVE-2025-60021 is a serious issue affecting high-performance systems. #apache #cybersecurity #vulnerability #rpc https://t.co/41Fhs5bSRC

    @xplain_it_again

    17 Jan 2026

    47 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  14. CVE-2025-60021: Apache bRPC Flaw Opens Door to Remote Command Injection https://t.co/QKawgi5nkt

    @Karma_X_Inc

    17 Jan 2026

    56 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  15. CVE-2025-60021: Apache bRPC: Remote command injection in heap profiler builtin service https://t.co/BLs2AMAwmk Severity: important /pprof/heap does not validate the user-provided extra_options parameter and executes it as a command-line argument

    @oss_security

    16 Jan 2026

    432 Impressions

    0 Retweets

    3 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  16. 🔴 CVE-2025-60021 - Critical Remote command injection vulnerability in heap profiler builtin service in Apache bRPC ((all versions &amp;lt; 1.15.0)) on all platforms allows attacker to inject remote command. Root Caus... https://t.co/LOlaFvVaw2 https://t.co/ILdDfvt1vV

    @TheHackerWire

    16 Jan 2026

    41 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  17. CVE-2025-60021 Remote command injection vulnerability in heap profiler builtin service in Apache bRPC ((all versions &lt; 1.15.0)) on all platforms allows attacker to inject remote com… https://t.co/Mh2x2Tk0x1

    @CVEnew

    16 Jan 2026

    60 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.