SYM_GO_0025 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Active Debug Code
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-489: Active Debug Code |
| OWASP | A06:2017 - Security Misconfiguration |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description
The Go pprof profiling endpoints are exposed on /debug/pprof in production, which can leak detailed information about your server’s internals. This happens when 'net/http/pprof' is imported without restricting access to these routes.
Impact
If left open, attackers could access sensitive profiling data like memory usage, goroutine dumps, or CPU profiles, making it easier to exploit vulnerabilities or perform denial-of-service attacks. This exposure could aid in reconnaissance and weaken your application's overall security.