AI description
CVE-2025-60021 is identified as a remote command injection vulnerability affecting Apache bRPC, an industrial-grade C++ RPC framework. This flaw resides within the heap profiler built-in service, specifically impacting the `/pprof/heap` endpoint. The vulnerability stems from insufficient input validation, where the `extra_options` parameter, provided by the user, is executed as a command-line argument without proper sanitization. This oversight allows an attacker to inject and execute remote commands on the server. The affected versions of Apache bRPC are 1.11.0 through those prior to 1.15.0, across all platforms.
- Description
- Remote command injection vulnerability in heap profiler builtin service in Apache bRPC ((all versions < 1.15.0)) on all platforms allows attacker to inject remote command. Root Cause: The bRPC heap profiler built-in service (/pprof/heap) does not validate the user-provided extra_options parameter and executes it as a command-line argument. Attackers can execute remote commands using the extra_options parameter.. Affected scenarios: Use the built-in bRPC heap profiler service to perform jemalloc memory profiling. How to Fix: we provide two methods, you can choose one of them: 1. Upgrade bRPC to version 1.15.0. 2. Apply this patch ( https://github.com/apache/brpc/pull/3101 ) manually.
- Source
- security@apache.org
- NVD status
- Analyzed
- Products
- brpc
CVSS 3.1
- Type
- Secondary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
- security@apache.org
- CWE-77
- Hype score
- Not currently trending
SmarterMail CVE-2025-60021 enables RCE via auth bypass. With CVSS 10.0, update vulnerable instances ASAP. Honeypots show active exploits. How do you prioritize patching email servers? #CVE #EmailSecurity
@f3dscr0w
2 Feb 2026
65 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Command injection in Apache bRPC heap profiler (CVE-2025-60021) A critical command injection flaw in Apache bRPC's /pprof/heap endpoint enables unauthenticated remote code execution (CVE-2025-60021, CVSS 9.8). https://t.co/qesPfW4GfP #CyberSecurity #AusCyber #ACSMag
@arnavsharma
29 Jan 2026
92 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨🚨 1.700 Hosts laut Zoomeye sind betroffen: CRIT 10.0 #CVE-2025-60021 Ein #RCE erlaubt Auth Bypass in "SmarterMail" und direkten Admin zugriff PoC ist in der Wildnis unterwegs und ich konnte schon China-Traffic beobachten. Wichtig: Alles unter 9511 muss sofort gepatched wer
@f3dscr0w
23 Jan 2026
105 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
⚠️ Vulnerabilidades en productos Apache ❗ CVE-2025-68675 ❗ CVE-2025-68438 ❗ CVE-2025-60021 ➡️ Más info: https://t.co/pFFA5LPHue https://t.co/lS0GELcr0e
@CERTpy
22 Jan 2026
65 Impressions
1 Retweet
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 CVE-2025-60021 : CRITICAL VULNERABILITY ALERT 🚨 @TheASF An unauthenticated OS command injection vulnerability has been disclosed in Apache bRPC, a high-performance RPC framework widely used in microservices and cloud-native distributed systems. The Risk Severity: Criti
@OstorlabSec
21 Jan 2026
51 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Critical vulnerability CVE-2025-60021 found in Apache bRPC's heap profiler service allows remote command injection. Upgrade to version 1.15.0 or apply the patch now! https://t.co/DFNc8Q5zEF #Security #Apache #Vulnerability #Upgrade #Patch #Remote #Injection #Update #Software http
@dailytechonx
20 Jan 2026
3 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Critical RCE in Apache bRPC (CVE-2025-60021) Exposes Global AI Infrastructure Read the full report on - https://t.co/QZVf9ZQVep https://t.co/BrMiHgFDLD
@cyberbivash
20 Jan 2026
22 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
⚠️⚠️ CVE-2025-60021 (CVSS 9.8): Apache bRPC: Remote command injection vulnerability in heap builtin service 🔗FOFA Link: https://t.co/mQBisAVBpQ 🎯3.9k+ Results are found on the https://t.co/pb16tGYaKe nearly year. FOFA Query: app="bRPC" Refer: https://t.co/qY8E7to1sZ
@fofabot
20 Jan 2026
2014 Impressions
15 Retweets
46 Likes
15 Bookmarks
1 Reply
0 Quotes
Apache bRPCにコマンドインジェクション脆弱性(CVE-2025-60021) https://t.co/m9IjBh9yeI #セキュリティ対策Lab #セキュリティ #Security
@securityLab_jp
20 Jan 2026
136 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨Alert🚨 CVE-2025-60021 (CVSS 9.8): Remote Command Injection Vulnerability in Heap Profiler Builtin Service in Apache bRPC. It affects versions before 1.15.0. 📊 22.5K Services are found on the https://t.co/ysWb28BTvF yearly. 🔗Hunter Link:https://t.co/1EyT4DxTk7 👇Que
@HunterMapping
20 Jan 2026
3013 Impressions
17 Retweets
65 Likes
33 Bookmarks
1 Reply
0 Quotes
🚨Alert🚨 CVE-2025-60021 (CVSS 9.8): Remote Command Injection Vulnerability in Heap Profiler Builtin Service in Apache https://t.co/VAB0iaZDa2 affects versions before 1.15.0. 📊 22.5K Services are found on the https://t.co/ysWb28BTvF yearly. 🔗Hunter Link:https://t.co/1Ey
@HunterMapping
20 Jan 2026
75 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Apache bRPC RCE Flaw Lets Attackers Inject Commands via /pprof/heap (CVE-2025-60021) A command-injection bug in Apache bRPC’s built-in heap profiler endpoint (`/pprof/heap`) lets attackers abuse the unvalidated `extra_options` parameter to execute arbitrary system command
@ThreatSynop
20 Jan 2026
88 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Apache bRPC RCE Flaw Lets Attackers Inject Commands via /pprof/heap (CVE-2025-60021) A command-injection bug in Apache bRPC’s built-in heap profiler endpoint (`/pprof/heap`) lets attackers abuse the unvalidated `extra_options` parameter to execute arbitrary system commands
@ThreatSynop
20 Jan 2026
74 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-60021 Apache bRPC - Remote Command Injection JeControlProfile Controller > uri_extra_options > cmd_str *uri_extra_options > read_command_output > read_command_output_through_popen > popen https://t.co/14rkc7qy58 https://t.co/Dgg3tmRVkJ #hawktrace #c
@hawktrace
19 Jan 2026
305 Impressions
7 Retweets
12 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨Critical Apache bRPC Vulnerability Allows Remote Command Injection (CVE-2025-60021) 🔗 https://t.co/bqmNCfRA4n #cybersecurity #infosec #hacking https://t.co/s37jDmD0RV
@zerodaywire
19 Jan 2026
3 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 CVE-2025-60021 (CVSS 9.8): Apache bRPC: Remote command injection vulnerability in heap builtin service Apache bRPC is vulnerable to remote command injection. Untrusted input in the heap profiler's extra_options parameter allows attackers to execute arbitrary commands via th
@zoomeye_team
19 Jan 2026
15684 Impressions
53 Retweets
152 Likes
84 Bookmarks
1 Reply
1 Quote
🚨 CVE-2025-60021 (CVSS 9.8): Apache bRPC: Remote command injection vulnerability in heap builtin service Apache bRPC is vulnerable to remote command injection. Untrusted input in the heap profiler's extra_options parameter allows attackers to execute arbitrary commands via th
@zoomeye_team
19 Jan 2026
20 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-60021: Apache bRPCの脆弱性によりリモートコマンドインジェクションが可能に CVE-2025-60021: Apache bRPC Flaw Opens Door to Remote Command Injection #DailyCyberSecurity (Jan 17) https://t.co/lfvAdydxlP
@foxbook
18 Jan 2026
312 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 خطر في Apache bRPC: ثغرة تسمح بالتحكم عن بعد Apache أصدروا تحديث مهم لإصلاح ثغرة في bRPC، وهو إطار عمل C++ يستخدم في أنظمة كبيرة. الثغرة CVE-2025-60021 تسمح للمهاجم بتنفيذ
@MisbarSec
18 Jan 2026
74 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
How Apache bRPC’s Performance Tools Grant Unauthenticated Root Access (CVE-2025-60021) Read the full report on - https://t.co/vkoVhOS5AE https://t.co/RCUMxm6LcD
@cyberbivash
17 Jan 2026
1 Impression
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Apache bRPC flaw opens door to remote command injection: CVE-2025-60021 is a serious issue affecting high-performance systems. #apache #cybersecurity #vulnerability #rpc https://t.co/41Fhs5bSRC
@xplain_it_again
17 Jan 2026
47 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-60021: Apache bRPC Flaw Opens Door to Remote Command Injection https://t.co/QKawgi5nkt
@Karma_X_Inc
17 Jan 2026
56 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-60021: Apache bRPC: Remote command injection in heap profiler builtin service https://t.co/BLs2AMAwmk Severity: important /pprof/heap does not validate the user-provided extra_options parameter and executes it as a command-line argument
@oss_security
16 Jan 2026
432 Impressions
0 Retweets
3 Likes
0 Bookmarks
0 Replies
0 Quotes
🔴 CVE-2025-60021 - Critical Remote command injection vulnerability in heap profiler builtin service in Apache bRPC ((all versions &lt; 1.15.0)) on all platforms allows attacker to inject remote command. Root Caus... https://t.co/LOlaFvVaw2 https://t.co/ILdDfvt1vV
@TheHackerWire
16 Jan 2026
41 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-60021 Remote command injection vulnerability in heap profiler builtin service in Apache bRPC ((all versions < 1.15.0)) on all platforms allows attacker to inject remote com… https://t.co/Mh2x2Tk0x1
@CVEnew
16 Jan 2026
60 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:brpc:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "23A269EA-30FC-44CB-8613-380E64BD66F5",
"versionEndExcluding": "1.15.0",
"versionStartIncluding": "1.11.0"
}
],
"operator": "OR"
}
]
}
]