EXECUTIVE SUMMARY:
CVE-2026-48050 with a CVSS score of 7.5 is a vulnerability in the Arc framework affecting all builds prior to version 0.0.0-20260520170331-32a4091fb949 where the Go net/http/pprof handlers are registered on the public API path /debug/pprof/* without proper authentication. The flaw arises because the auth middleware short‑circuits on a prefix match, mistakenly treating the pprof endpoints as publicly accessible, allowing any network‑reachable client to issue HTTP requests to these diagnostics URLs. An attacker can simply send unauthenticated GET requests to /debug/pprof/heap to dump live in‑memory data such as SQL queries, decoded MsgPack records, and cached token hashes, or to /debug/pprof/goroutine?debug=2 to harvest full call stacks, and can trigger /debug/pprof/profile?seconds=N or /debug/pprof/trace to tie a CPU core for arbitrarily long periods, effectively launching a CPU‑burn denial‑of‑service attack. The resulting capabilities include exposure of sensitive runtime information and the ability to exhaust server resources, which can lead to credential compromise, loss of data confidentiality, and prolonged service outages. Exploitation requires only network access to the vulnerable Arc instance with the default configuration; no authentication, rate limiting, or input validation is enforced, and the attacker must be able to reach the public API port where the pprof endpoints are bound.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-48050 with a CVSS score of 7.5 is a vulnerability in the Arc framework affecting all builds prior to version 0.0.0-20260520170331-32a4091fb949 where the Go net/http/pprof handlers are registered on the public API path /debug/pprof/* without proper authentication. The flaw arises because the auth middleware short‑circuits on a prefix match, mistakenly treating the pprof endpoints as publicly accessible, allowing any network‑reachable client to issue HTTP requests to these diagnostics URLs. An attacker can simply send unauthenticated GET requests to /debug/pprof/heap to dump live in‑memory data such as SQL queries, decoded MsgPack records, and cached token hashes, or to /debug/pprof/goroutine?debug=2 to harvest full call stacks, and can trigger /debug/pprof/profile?seconds=N or /debug/pprof/trace to tie a CPU core for arbitrarily long periods, effectively launching a CPU‑burn denial‑of‑service attack. The resulting capabilities include exposure of sensitive runtime information and the ability to exhaust server resources, which can lead to credential compromise, loss of data confidentiality, and prolonged service outages. Exploitation requires only network access to the vulnerable Arc instance with the default configuration; no authentication, rate limiting, or input validation is enforced, and the attacker must be able to reach the public API port where the pprof endpoints are bound.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-j93g-rp6m-j32m