Apache bRPC Critical Remote Command Injection Vulnerability

Apache bRPC, an open-source Remote Procedure Call framework, is reporting a critical security flaw that allows attackers to take over systems. 

The flaw is tracked as CVE-2025-60021 (CVSS score 9.8) - Remote command injection vulnerability in the heap profiler service due to unvalidated extra_options parameters. The root cause of the flaw is a failure to check user input in the /pprof/heap endpoint that handles memory profiling through jemalloc. It accepts a parameter called extra_options but does not sanitize the data. Attackers can inject command-line arguments into this field, which the system then executes directly. Attackers can send malicious commands to the service and run them with the same rights as the bRPC process. 

All versions of Apache bRPC before 1.15.0 are affected across all platforms. Successful attacks can lead to lateral movement within the network, the installation of persistent backdoors, and the theft of sensitive corporate data.

The Apache Software Foundation has released version 1.15.0 to fix this issue. This update adds proper validation for the extra_options parameter. If you can't upgrade the full version immediately, you should apply the manual patch available on the official GitHub repository. Security teams should prioritize inventorying all bRPC instances and checking their versions.

Until the flaw is patched, the administrators should use network segmentation to hide the /pprof/heap endpoint from the internet and should also turn off the heap profiler service if it's not used for active monitoring. Using a Web Application Firewall (WAF) to block suspicious parameters in bRPC requests can serve as a temporary fix.