Remote Command Injection in Apache bRPC Heap Profiler Service
CVE-2025-60021

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Brpc
Vendor: CVE Published:; 16 January 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-60021?

A vulnerability in the Apache bRPC heap profiler service allows remote command injection due to insufficient validation of user-supplied parameters. Specifically, the built-in service executes commands without proper sanitization when the 'extra_options' parameter is used. This flaw enables attackers to execute arbitrary commands on the server, particularly targeting the jemalloc memory profiling feature. To mitigate this risk, users are advised to upgrade to bRPC version 1.15.0 or apply the provided patch.

Affected Version(s)

Apache bRPC 1.11.0 < 1.15.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-60021-PoC-Apache-bRPC-Heap-Profiler-Command-Injection
Created by ninjazan420

References

https://lists.apache.org/thread/xy51d2fx6drzhfp92xptsx584...

vendor-advisory

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Jan 19, 2026
👾
Exploit known to exist
Jan 19, 2026
Vulnerability published
Jan 16, 2026
Vulnerability Reserved
Sep 24, 2025

Credit

Simcha Kosman

JSON