{"schema_version": "1.6.1", "id": "CVE-2025-60021", "summary": "Remote command injection vulnerability in heap builtin service", "details": "Remote command injection vulnerability in heap profiler builtin service in Apache bRPC ((all versions < 1.15.0)) on all platforms allows attacker to inject remote command.\n\n\n\nRoot Cause: The bRPC heap profiler built-in service (/pprof/heap) does not validate the user-provided extra_options parameter and executes it as a command-line argument. Attackers can execute remote commands using the extra_options parameter..\n\nAffected scenarios: Use the built-in bRPC heap profiler service to perform jemalloc memory profiling.\n\nHow to Fix: we provide two methods, you can choose one of them:\n\n1. Upgrade bRPC to version 1.15.0.\n2. Apply this patch ( https://github.com/apache/brpc/pull/3101 ) manually.", "affected": [{"ranges": [{"type": "SEMVER", "events": [{"introduced": "1.11.0"}, {"fixed": "1.15.0"}]}]}], "references": [{"type": "WEB", "url": "https://lists.apache.org/thread/xy51d2fx6drzhfp92xptsx5845q7b37m"}]}