CVE-2025-60021

Published Jan 16, 2026

Last updated a month ago

Overview

Description
Remote command injection vulnerability in heap profiler builtin service in Apache bRPC ((all versions < 1.15.0)) on all platforms allows attacker to inject remote command. Root Cause: The bRPC heap profiler built-in service (/pprof/heap) does not validate the user-provided extra_options parameter and executes it as a command-line argument. Attackers can execute remote commands using the extra_options parameter.. Affected scenarios: Use the built-in bRPC heap profiler service to perform jemalloc memory profiling. How to Fix: we provide two methods, you can choose one of them: 1. Upgrade bRPC to version 1.15.0. 2. Apply this patch ( https://github.com/apache/brpc/pull/3101 ) manually.
Source
security@apache.org
NVD status
Analyzed
Products
brpc

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

security@apache.org
CWE-77

Social media

Hype score
Not currently trending
  1. Top 5 Trending CVEs: 1 - CVE-2018-17144 2 - CVE-2025-29969 3 - CVE-2025-11730 4 - CVE-2026-21518 5 - CVE-2025-60021 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    23 Feb 2026

    133 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  2. #VulnerabilityReport #ApachebRPC CVE-2025-60021: Apache bRPC Flaw Opens Door to Remote Command Injection https://t.co/D7sWZKHSv8

    @Komodosec

    23 Feb 2026

    71 Impressions

    1 Retweet

    2 Likes

    1 Bookmark

    1 Reply

    0 Quotes

  3. SmarterMail CVE-2025-60021 enables RCE via auth bypass. With CVSS 10.0, update vulnerable instances ASAP. Honeypots show active exploits. How do you prioritize patching email servers? #CVE #EmailSecurity

    @f3dscr0w

    2 Feb 2026

    65 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  4. Command injection in Apache bRPC heap profiler (CVE-2025-60021) A critical command injection flaw in Apache bRPC's /pprof/heap endpoint enables unauthenticated remote code execution (CVE-2025-60021, CVSS 9.8). https://t.co/qesPfW4GfP #CyberSecurity #AusCyber #ACSMag

    @arnavsharma

    29 Jan 2026

    92 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. 🚨🚨 1.700 Hosts laut Zoomeye sind betroffen: CRIT 10.0 #CVE-2025-60021 Ein #RCE erlaubt Auth Bypass in "SmarterMail" und direkten Admin zugriff PoC ist in der Wildnis unterwegs und ich konnte schon China-Traffic beobachten. Wichtig: Alles unter 9511 muss sofort gepatched wer

    @f3dscr0w

    23 Jan 2026

    105 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  6. ⚠️ Vulnerabilidades en productos Apache ❗ CVE-2025-68675 ❗ CVE-2025-68438 ❗ CVE-2025-60021 ➡️ Más info: https://t.co/pFFA5LPHue https://t.co/lS0GELcr0e

    @CERTpy

    22 Jan 2026

    65 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. 🚨 CVE-2025-60021 : CRITICAL VULNERABILITY ALERT 🚨 @TheASF An unauthenticated OS command injection vulnerability has been disclosed in Apache bRPC, a high-performance RPC framework widely used in microservices and cloud-native distributed systems. The Risk Severity: Criti

    @OstorlabSec

    21 Jan 2026

    51 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  8. Critical vulnerability CVE-2025-60021 found in Apache bRPC's heap profiler service allows remote command injection. Upgrade to version 1.15.0 or apply the patch now! https://t.co/DFNc8Q5zEF #Security #Apache #Vulnerability #Upgrade #Patch #Remote #Injection #Update #Software http

    @dailytechonx

    20 Jan 2026

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. Critical RCE in Apache bRPC (CVE-2025-60021) Exposes Global AI Infrastructure Read the full report on - https://t.co/QZVf9ZQVep https://t.co/BrMiHgFDLD

    @cyberbivash

    20 Jan 2026

    22 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. ⚠️⚠️ CVE-2025-60021 (CVSS 9.8): Apache bRPC: Remote command injection vulnerability in heap builtin service 🔗FOFA Link: https://t.co/mQBisAVBpQ 🎯3.9k+ Results are found on the https://t.co/pb16tGYaKe nearly year. FOFA Query: app="bRPC" Refer: https://t.co/qY8E7to1sZ

    @fofabot

    20 Jan 2026

    2014 Impressions

    15 Retweets

    46 Likes

    15 Bookmarks

    1 Reply

    0 Quotes

  11. Apache bRPCにコマンドインジェクション脆弱性(CVE-2025-60021) https://t.co/m9IjBh9yeI #セキュリティ対策Lab #セキュリティ #Security

    @securityLab_jp

    20 Jan 2026

    136 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. 🚨Alert🚨 CVE-2025-60021 (CVSS 9.8): Remote Command Injection Vulnerability in Heap Profiler Builtin Service in Apache bRPC. It affects versions before 1.15.0. 📊 22.5K Services are found on the https://t.co/ysWb28BTvF yearly. 🔗Hunter Link:https://t.co/1EyT4DxTk7 👇Que

    @HunterMapping

    20 Jan 2026

    3013 Impressions

    17 Retweets

    65 Likes

    33 Bookmarks

    1 Reply

    0 Quotes

  13. 🚨Alert🚨 CVE-2025-60021 (CVSS 9.8): Remote Command Injection Vulnerability in Heap Profiler Builtin Service in Apache https://t.co/VAB0iaZDa2 affects versions before 1.15.0. 📊 22.5K Services are found on the https://t.co/ysWb28BTvF yearly. 🔗Hunter Link:https://t.co/1Ey

    @HunterMapping

    20 Jan 2026

    75 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  14. 🚨 Apache bRPC RCE Flaw Lets Attackers Inject Commands via /pprof/heap (CVE-2025-60021) A command-injection bug in Apache bRPC’s built-in heap profiler endpoint (`/pprof/heap`) lets attackers abuse the unvalidated `extra_options` parameter to execute arbitrary system command

    @ThreatSynop

    20 Jan 2026

    88 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  15. 🚨 Apache bRPC RCE Flaw Lets Attackers Inject Commands via /pprof/heap (CVE-2025-60021) A command-injection bug in Apache bRPC’s built-in heap profiler endpoint (`/pprof/heap`) lets attackers abuse the unvalidated `extra_options` parameter to execute arbitrary system commands

    @ThreatSynop

    20 Jan 2026

    74 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  16. CVE-2025-60021 Apache bRPC - Remote Command Injection JeControlProfile Controller &gt; uri_extra_options &gt; cmd_str *uri_extra_options &gt; read_command_output &gt; read_command_output_through_popen &gt; popen https://t.co/14rkc7qy58 https://t.co/Dgg3tmRVkJ #hawktrace #c

    @hawktrace

    19 Jan 2026

    305 Impressions

    7 Retweets

    12 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  17. 🚨Critical Apache bRPC Vulnerability Allows Remote Command Injection (CVE-2025-60021) 🔗 https://t.co/bqmNCfRA4n #cybersecurity #infosec #hacking https://t.co/s37jDmD0RV

    @zerodaywire

    19 Jan 2026

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  18. 🚨 CVE-2025-60021 (CVSS 9.8): Apache bRPC: Remote command injection vulnerability in heap builtin service Apache bRPC is vulnerable to remote command injection. Untrusted input in the heap profiler's extra_options parameter allows attackers to execute arbitrary commands via th

    @zoomeye_team

    19 Jan 2026

    15684 Impressions

    53 Retweets

    152 Likes

    84 Bookmarks

    1 Reply

    1 Quote

  19. 🚨 CVE-2025-60021 (CVSS 9.8): Apache bRPC: Remote command injection vulnerability in heap builtin service Apache bRPC is vulnerable to remote command injection. Untrusted input in the heap profiler's extra_options parameter allows attackers to execute arbitrary commands via th

    @zoomeye_team

    19 Jan 2026

    20 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  20. CVE-2025-60021: Apache bRPCの脆弱性によりリモートコマンドインジェクションが可能に CVE-2025-60021: Apache bRPC Flaw Opens Door to Remote Command Injection #DailyCyberSecurity (Jan 17) https://t.co/lfvAdydxlP

    @foxbook

    18 Jan 2026

    312 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  21. 🚨 خطر في Apache bRPC: ثغرة تسمح بالتحكم عن بعد Apache أصدروا تحديث مهم لإصلاح ثغرة في bRPC، وهو إطار عمل C++ يستخدم في أنظمة كبيرة. الثغرة CVE-2025-60021 تسمح للمهاجم بتنفيذ

    @MisbarSec

    18 Jan 2026

    74 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  22. How Apache bRPC’s Performance Tools Grant Unauthenticated Root Access (CVE-2025-60021) Read the full report on - https://t.co/vkoVhOS5AE https://t.co/RCUMxm6LcD

    @cyberbivash

    17 Jan 2026

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  23. Apache bRPC flaw opens door to remote command injection: CVE-2025-60021 is a serious issue affecting high-performance systems. #apache #cybersecurity #vulnerability #rpc https://t.co/41Fhs5bSRC

    @xplain_it_again

    17 Jan 2026

    47 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  24. CVE-2025-60021: Apache bRPC Flaw Opens Door to Remote Command Injection https://t.co/QKawgi5nkt

    @Karma_X_Inc

    17 Jan 2026

    56 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  25. CVE-2025-60021: Apache bRPC: Remote command injection in heap profiler builtin service https://t.co/BLs2AMAwmk Severity: important /pprof/heap does not validate the user-provided extra_options parameter and executes it as a command-line argument

    @oss_security

    16 Jan 2026

    432 Impressions

    0 Retweets

    3 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  26. 🔴 CVE-2025-60021 - Critical Remote command injection vulnerability in heap profiler builtin service in Apache bRPC ((all versions &amp;lt; 1.15.0)) on all platforms allows attacker to inject remote command. Root Caus... https://t.co/LOlaFvVaw2 https://t.co/ILdDfvt1vV

    @TheHackerWire

    16 Jan 2026

    41 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  27. CVE-2025-60021 Remote command injection vulnerability in heap profiler builtin service in Apache bRPC ((all versions &lt; 1.15.0)) on all platforms allows attacker to inject remote com… https://t.co/Mh2x2Tk0x1

    @CVEnew

    16 Jan 2026

    60 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

  1. Unlimited memory allocation in redis protocol parser in Apache bRPC (all versions < 1.14.1) on all platforms allows attackers to crash the service via network. Root Cause: In the bRPC Redis protocol parser code, memory for arrays or strings of corresponding sizes is allocated based on the integers read from the network. If the integer read from the network is too large, it may cause a bad alloc error and lead to the program crashing. Attackers can exploit this feature by sending special data packets to the bRPC service to carry out a denial-of-service attack on it. The bRPC 1.14.0 version tried to fix this issue by limited the memory allocation size, however, the limitation checking code is not well implemented that may cause integer overflow and evade such limitation. So the 1.14.0 version is also vulnerable, although the integer range that affect version 1.14.0 is different from that affect version < 1.14.0. Affected scenarios: Using bRPC as a Redis server to provide network services to untrusted clients, or using bRPC as a Redis client to call untrusted Redis services. How to Fix: we provide two methods, you can choose one of them: 1. Upgrade bRPC to version 1.14.1. 2. Apply this patch ( https://github.com/apache/brpc/pull/3050 ) manually. No matter you choose which method, you should note that the patch limits the maximum length of memory allocated for each time in the bRPC Redis parser. The default limit is 64M. If some of you redis request or response have a size larger than 64M, you might encounter error after upgrade. For such case, you can modify the gflag redis_max_allocation_size to set a larger limit.CVE-2025-54472