CVE-2026-45044
Description
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the admin router explicitly whitelists /profile/cpu and /profile/memory from the authentication layer, allowing any unauthenticated HTTP client to invoke profiling handlers without credentials. On supported builds (e.g., glibc), the handler invokes a fixed 60-second CPU profiling operation (dump_cpu_pprof_for(Duration::from_secs(60))). This may result in significant CPU resource consumption per request and can potentially lead to denial of service when abused. Additionally, the handler returns the server’s absolute filesystem path in the response body, resulting in information disclosure. This vulnerability is fixed in 1.0.0-beta.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated endpoints /profile/cpu and /profile/memory in RustFS before 1.0.0-beta.2 allow path disclosure and potentially a CPU-based denial-of-service condition.
Vulnerability
In RustFS versions prior to 1.0.0-beta.2, the admin router in rustfs/src/admin/router.rs explicitly whitelists the GET endpoints /profile/cpu and /profile/memory from the authentication layer [1]. This allows any unauthenticated HTTP client to reach the profiling handlers without credentials. On supported builds (e.g., glibc), the CPU profiling endpoint invokes dump_cpu_pprof_for(Duration::from_secs(60)) which executes a fixed 60-second CPU-intensive profiling operation [1]. The memory profiling endpoint, while invoked, returns a 500 error on musl/Docker builds, confirming the request bypasses authentication checks and reaches the handler [1].
Exploitation
An attacker with network access to the RustFS service can send HTTP GET requests to either /profile/cpu or /profile/memory without any authentication tokens or headers [1]. No privileges, user interaction, or specific configuration is required. For the CPU endpoint, each request triggers the 60-second profiling operation; an attacker can make multiple concurrent requests to amplify the impact [1]. The profile.rs handler also returns the server's absolute filesystem path in the response body, resulting in information disclosure [1].
Impact
Successful exploitation results in authentication bypass, allowing any network-reachable client to invoke profiling handlers without credentials [1]. On supported (glibc) builds, repeated requests to /profile/cpu can exhaust server CPU resources, potentially leading to a denial-of-service condition [1]. Additionally, the response body discloses the server's absolute filesystem path, which aids further reconnaissance [1]. On musl/Docker builds, the authentication bypass is confirmed via the 500 error response (instead of the expected 401/403), but the CPU profiling operation may not execute due to platform limitations [1].
Mitigation
The vulnerability is fixed in RustFS version 1.0.0-beta.2 [1]. Users should upgrade to the patched version immediately. No workarounds are documented in the available references. If upgrading is not possible, network administrators can restrict access to the profiling endpoints via firewall rules or reverse-proxy configurations to block unauthenticated requests [1].
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The admin router explicitly whitelists /profile/cpu and /profile/memory from authentication, allowing unauthenticated access to profiling handlers."
Attack vector
Any unauthenticated HTTP client on the network can send a GET request to `/profile/cpu` or `/profile/memory` on the admin port [ref_id=1]. The admin router skips authentication for these two paths, so the request reaches the profiling handler without any credential check [ref_id=1]. On glibc-based builds, the CPU profiling handler runs a fixed 60-second profiling operation per request, which an attacker can abuse with concurrent requests to exhaust server CPU resources, leading to denial of service [ref_id=1]. Additionally, the handler returns the server's absolute filesystem path in the HTTP response body, disclosing internal path information [ref_id=1].
Affected code
The vulnerability is in `rustfs/src/admin/router.rs` where the authentication bypass occurs — the router explicitly whitelists `/profile/cpu` and `/profile/memory` from the authentication layer via a check that returns `Ok(())` before any credential validation [ref_id=1]. The profiling handlers in `rustfs/src/admin/handlers/profile.rs` then execute without authentication, and on supported builds invoke `dump_cpu_pprof_for(Duration::from_secs(60))` [ref_id=1].
What the fix does
The advisory states the fix is in version 1.0.0-beta.2, but no patch diff is included in the bundle [ref_id=1]. The remediation removes the authentication bypass by ensuring the `/profile/cpu` and `/profile/memory` endpoints are subject to the same authentication checks as the rest of the admin router, specifically the correctly-guarded sibling endpoint `/rustfs/admin/debug/pprof/profile` which returns `403 AccessDenied: Signature is required` for unauthenticated requests [ref_id=1].
Preconditions
- networkThe admin HTTP endpoint must be network-reachable by the attacker
- authNo authentication credentials are required — the bypass is unconditional
Reproduction
```bash # Tested against rustfs/rustfs:latest
# 1. Unauthenticated access (handler reached) curl -v http://localhost:9000/profile/cpu curl -v http://localhost:9000/profile/memory
# 2. Protected endpoint (for comparison) curl -v http://localhost:9000/rustfs/admin/debug/pprof/profile
# 3. On supported (glibc) builds: curl http://localhost:9000/profile/cpu # Expected: long-running request (~60s) and path disclosure ```
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.