- Description
- Remote command injection vulnerability in heap profiler builtin service in Apache bRPC ((all versions < 1.15.0)) on all platforms allows attacker to inject remote command. Root Cause: The bRPC heap profiler built-in service (/pprof/heap) does not validate the user-provided extra_options parameter and executes it as a command-line argument. Attackers can execute remote commands using the extra_options parameter.. Affected scenarios: Use the built-in bRPC heap profiler service to perform jemalloc memory profiling. How to Fix: we provide two methods, you can choose one of them: 1. Upgrade bRPC to version 1.15.0. 2. Apply this patch ( https://github.com/apache/brpc/pull/3101 ) manually.
- Source
- security@apache.org
- NVD status
- Analyzed
- Products
- brpc
CVSS 3.1
- Type
- Secondary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
- security@apache.org
- CWE-77
- Hype score
- Not currently trending
Top 5 Trending CVEs: 1 - CVE-2018-17144 2 - CVE-2025-29969 3 - CVE-2025-11730 4 - CVE-2026-21518 5 - CVE-2025-60021 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W
@CVEShield
23 Feb 2026
133 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
#VulnerabilityReport #ApachebRPC CVE-2025-60021: Apache bRPC Flaw Opens Door to Remote Command Injection https://t.co/D7sWZKHSv8
@Komodosec
23 Feb 2026
71 Impressions
1 Retweet
2 Likes
1 Bookmark
1 Reply
0 Quotes
SmarterMail CVE-2025-60021 enables RCE via auth bypass. With CVSS 10.0, update vulnerable instances ASAP. Honeypots show active exploits. How do you prioritize patching email servers? #CVE #EmailSecurity
@f3dscr0w
2 Feb 2026
65 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Command injection in Apache bRPC heap profiler (CVE-2025-60021) A critical command injection flaw in Apache bRPC's /pprof/heap endpoint enables unauthenticated remote code execution (CVE-2025-60021, CVSS 9.8). https://t.co/qesPfW4GfP #CyberSecurity #AusCyber #ACSMag
@arnavsharma
29 Jan 2026
92 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨🚨 1.700 Hosts laut Zoomeye sind betroffen: CRIT 10.0 #CVE-2025-60021 Ein #RCE erlaubt Auth Bypass in "SmarterMail" und direkten Admin zugriff PoC ist in der Wildnis unterwegs und ich konnte schon China-Traffic beobachten. Wichtig: Alles unter 9511 muss sofort gepatched wer
@f3dscr0w
23 Jan 2026
105 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
⚠️ Vulnerabilidades en productos Apache ❗ CVE-2025-68675 ❗ CVE-2025-68438 ❗ CVE-2025-60021 ➡️ Más info: https://t.co/pFFA5LPHue https://t.co/lS0GELcr0e
@CERTpy
22 Jan 2026
65 Impressions
1 Retweet
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 CVE-2025-60021 : CRITICAL VULNERABILITY ALERT 🚨 @TheASF An unauthenticated OS command injection vulnerability has been disclosed in Apache bRPC, a high-performance RPC framework widely used in microservices and cloud-native distributed systems. The Risk Severity: Criti
@OstorlabSec
21 Jan 2026
51 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Critical vulnerability CVE-2025-60021 found in Apache bRPC's heap profiler service allows remote command injection. Upgrade to version 1.15.0 or apply the patch now! https://t.co/DFNc8Q5zEF #Security #Apache #Vulnerability #Upgrade #Patch #Remote #Injection #Update #Software http
@dailytechonx
20 Jan 2026
3 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Critical RCE in Apache bRPC (CVE-2025-60021) Exposes Global AI Infrastructure Read the full report on - https://t.co/QZVf9ZQVep https://t.co/BrMiHgFDLD
@cyberbivash
20 Jan 2026
22 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
⚠️⚠️ CVE-2025-60021 (CVSS 9.8): Apache bRPC: Remote command injection vulnerability in heap builtin service 🔗FOFA Link: https://t.co/mQBisAVBpQ 🎯3.9k+ Results are found on the https://t.co/pb16tGYaKe nearly year. FOFA Query: app="bRPC" Refer: https://t.co/qY8E7to1sZ
@fofabot
20 Jan 2026
2014 Impressions
15 Retweets
46 Likes
15 Bookmarks
1 Reply
0 Quotes
Apache bRPCにコマンドインジェクション脆弱性(CVE-2025-60021) https://t.co/m9IjBh9yeI #セキュリティ対策Lab #セキュリティ #Security
@securityLab_jp
20 Jan 2026
136 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨Alert🚨 CVE-2025-60021 (CVSS 9.8): Remote Command Injection Vulnerability in Heap Profiler Builtin Service in Apache bRPC. It affects versions before 1.15.0. 📊 22.5K Services are found on the https://t.co/ysWb28BTvF yearly. 🔗Hunter Link:https://t.co/1EyT4DxTk7 👇Que
@HunterMapping
20 Jan 2026
3013 Impressions
17 Retweets
65 Likes
33 Bookmarks
1 Reply
0 Quotes
🚨Alert🚨 CVE-2025-60021 (CVSS 9.8): Remote Command Injection Vulnerability in Heap Profiler Builtin Service in Apache https://t.co/VAB0iaZDa2 affects versions before 1.15.0. 📊 22.5K Services are found on the https://t.co/ysWb28BTvF yearly. 🔗Hunter Link:https://t.co/1Ey
@HunterMapping
20 Jan 2026
75 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Apache bRPC RCE Flaw Lets Attackers Inject Commands via /pprof/heap (CVE-2025-60021) A command-injection bug in Apache bRPC’s built-in heap profiler endpoint (`/pprof/heap`) lets attackers abuse the unvalidated `extra_options` parameter to execute arbitrary system command
@ThreatSynop
20 Jan 2026
88 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Apache bRPC RCE Flaw Lets Attackers Inject Commands via /pprof/heap (CVE-2025-60021) A command-injection bug in Apache bRPC’s built-in heap profiler endpoint (`/pprof/heap`) lets attackers abuse the unvalidated `extra_options` parameter to execute arbitrary system commands
@ThreatSynop
20 Jan 2026
74 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-60021 Apache bRPC - Remote Command Injection JeControlProfile Controller > uri_extra_options > cmd_str *uri_extra_options > read_command_output > read_command_output_through_popen > popen https://t.co/14rkc7qy58 https://t.co/Dgg3tmRVkJ #hawktrace #c
@hawktrace
19 Jan 2026
305 Impressions
7 Retweets
12 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨Critical Apache bRPC Vulnerability Allows Remote Command Injection (CVE-2025-60021) 🔗 https://t.co/bqmNCfRA4n #cybersecurity #infosec #hacking https://t.co/s37jDmD0RV
@zerodaywire
19 Jan 2026
3 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 CVE-2025-60021 (CVSS 9.8): Apache bRPC: Remote command injection vulnerability in heap builtin service Apache bRPC is vulnerable to remote command injection. Untrusted input in the heap profiler's extra_options parameter allows attackers to execute arbitrary commands via th
@zoomeye_team
19 Jan 2026
15684 Impressions
53 Retweets
152 Likes
84 Bookmarks
1 Reply
1 Quote
🚨 CVE-2025-60021 (CVSS 9.8): Apache bRPC: Remote command injection vulnerability in heap builtin service Apache bRPC is vulnerable to remote command injection. Untrusted input in the heap profiler's extra_options parameter allows attackers to execute arbitrary commands via th
@zoomeye_team
19 Jan 2026
20 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-60021: Apache bRPCの脆弱性によりリモートコマンドインジェクションが可能に CVE-2025-60021: Apache bRPC Flaw Opens Door to Remote Command Injection #DailyCyberSecurity (Jan 17) https://t.co/lfvAdydxlP
@foxbook
18 Jan 2026
312 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 خطر في Apache bRPC: ثغرة تسمح بالتحكم عن بعد Apache أصدروا تحديث مهم لإصلاح ثغرة في bRPC، وهو إطار عمل C++ يستخدم في أنظمة كبيرة. الثغرة CVE-2025-60021 تسمح للمهاجم بتنفيذ
@MisbarSec
18 Jan 2026
74 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
How Apache bRPC’s Performance Tools Grant Unauthenticated Root Access (CVE-2025-60021) Read the full report on - https://t.co/vkoVhOS5AE https://t.co/RCUMxm6LcD
@cyberbivash
17 Jan 2026
1 Impression
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Apache bRPC flaw opens door to remote command injection: CVE-2025-60021 is a serious issue affecting high-performance systems. #apache #cybersecurity #vulnerability #rpc https://t.co/41Fhs5bSRC
@xplain_it_again
17 Jan 2026
47 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-60021: Apache bRPC Flaw Opens Door to Remote Command Injection https://t.co/QKawgi5nkt
@Karma_X_Inc
17 Jan 2026
56 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-60021: Apache bRPC: Remote command injection in heap profiler builtin service https://t.co/BLs2AMAwmk Severity: important /pprof/heap does not validate the user-provided extra_options parameter and executes it as a command-line argument
@oss_security
16 Jan 2026
432 Impressions
0 Retweets
3 Likes
0 Bookmarks
0 Replies
0 Quotes
🔴 CVE-2025-60021 - Critical Remote command injection vulnerability in heap profiler builtin service in Apache bRPC ((all versions &lt; 1.15.0)) on all platforms allows attacker to inject remote command. Root Caus... https://t.co/LOlaFvVaw2 https://t.co/ILdDfvt1vV
@TheHackerWire
16 Jan 2026
41 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-60021 Remote command injection vulnerability in heap profiler builtin service in Apache bRPC ((all versions < 1.15.0)) on all platforms allows attacker to inject remote com… https://t.co/Mh2x2Tk0x1
@CVEnew
16 Jan 2026
60 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:brpc:*:*:*:*:*:*:*:*",
"matchCriteriaId": "23A269EA-30FC-44CB-8613-380E64BD66F5",
"versionEndExcluding": "1.15.0",
"versionStartIncluding": "1.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]