EXECUTIVE SUMMARY:
CVE-2026-48050 with a CVSS score of 7.5 is a vulnerability in the Arc application (go/github.com/basekick-labs/arc) affecting all releases prior to version 0.0.0-20260520170331-32a4091fb949. The flaw stems from the registration of Go's net/http/pprof profiling handlers at the public path /debug/pprof/* without proper authentication checks; the auth middleware mistakenly bypasses token validation when the request URL matches this prefix. An unauthenticated attacker who can reach the service over the network can issue simple HTTP GET requests to endpoints such as /debug/pprof/heap, /debug/pprof/goroutine?debug=2, /debug/pprof/profile?seconds=N, or /debug/pprof/trace. These requests expose in‑memory data (including live SQL queries, token caches, and request bodies) and allow the attacker to trigger CPU‑intensive profiling for an arbitrary duration, effectively locking a CPU core and causing denial‑of‑service. The attacker gains visibility into sensitive runtime state and the ability to degrade service performance at will. Business impact includes potential leakage of confidential data, loss of service availability, and increased operational costs due to resource exhaustion. Exploitation requires only network access to the Arc API port; no authentication, rate limiting, or credential disclosure is needed, and the attack succeeds as long as the pprof endpoints remain publicly exposed.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-48050 with a CVSS score of 7.5 is a vulnerability in the Arc application (go/github.com/basekick-labs/arc) affecting all releases prior to version 0.0.0-20260520170331-32a4091fb949. The flaw stems from the registration of Go's net/http/pprof profiling handlers at the public path /debug/pprof/* without proper authentication checks; the auth middleware mistakenly bypasses token validation when the request URL matches this prefix. An unauthenticated attacker who can reach the service over the network can issue simple HTTP GET requests to endpoints such as /debug/pprof/heap, /debug/pprof/goroutine?debug=2, /debug/pprof/profile?seconds=N, or /debug/pprof/trace. These requests expose in‑memory data (including live SQL queries, token caches, and request bodies) and allow the attacker to trigger CPU‑intensive profiling for an arbitrary duration, effectively locking a CPU core and causing denial‑of‑service. The attacker gains visibility into sensitive runtime state and the ability to degrade service performance at will. Business impact includes potential leakage of confidential data, loss of service availability, and increased operational costs due to resource exhaustion. Exploitation requires only network access to the Arc API port; no authentication, rate limiting, or credential disclosure is needed, and the attack succeeds as long as the pprof endpoints remain publicly exposed.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-j93g-rp6m-j32m