{
  "claim": {
    "argus_claim_ref": null,
    "attacker_control": "unauthenticated remote attacker sending HTTP requests to exposed debug/metrics endpoints",
    "claimed_surface": "api_remote",
    "expected_impact": "authz_bypass",
    "finding_id": null,
    "id": null,
    "required_entrypoint_detail": "HTTP GET to /debug/pprof/cmdline (and other /debug/pprof/* or metrics endpoints) on the JuiceFS HTTP debug/metrics port",
    "required_entrypoint_kind": "endpoint",
    "submission_reason": "ticket_derived_llm",
    "trigger_class": "service_api",
    "upstream_verdicts": {
      "claim_extraction": {
        "confidence": "high",
        "model": "accounts/fireworks/models/kimi-k2p7-code",
        "reason": "Ticket describes unauthenticated remote HTTP access to /debug/pprof/* and metrics endpoints due to shared http.DefaultServeMux registration, with explicit reproduction via curl to /debug/pprof/cmdline leaking credentials and optional DoS via profiling endpoints.",
        "source": "llm"
      }
    }
  },
  "latest_description": "## Summary\nJuiceFS through 1.3.1 contains an authentication bypass in its HTTP debug/metrics handler registration. Because handlers are registered on the shared `http.DefaultServeMux`, unauthenticated remote attackers can access sensitive `/debug/pprof/*` and metrics endpoints. The `/debug/pprof/cmdline` endpoint can leak process command-line arguments that include metadata engine connection strings with database credentials, enabling full read/write access to filesystem metadata. Other pprof handlers leak internal state and profiling handlers can be abused for denial-of-service.\n\n## Technical Details\n- Root cause: improper handler registration on the shared `http.DefaultServeMux` exposes debug/metrics handlers without authentication.\n- Impact: authentication bypass; disclosure of metadata engine connection strings (DB credentials) via `/debug/pprof/cmdline`; access to internal state via other pprof handlers; potential DoS via profiling endpoints.\n- Fixed: commit `a46979cdd4082217081ee99b931ddc53d038e47a`.\n\n## Reproduction Steps\n1. Deploy a vulnerable JuiceFS version (<= 1.3.1) with HTTP debug/metrics handlers enabled (default mux used).\n2. From an unauthenticated remote host, send an HTTP request to the pprof endpoint:\n   ```bash\n   curl http://<juicefs-host>:<port>/debug/pprof/cmdline\n   ```\n3. Observe the response containing the process command line, which may include metadata engine connection strings with credentials.\n4. (Optional) Access other pprof endpoints (e.g., `/debug/pprof/profile`) to trigger profiling/DoS behaviors.\n\n## Indicators of Success\n- Unauthenticated access to `/debug/pprof/cmdline` returns command-line arguments.\n- Command-line output reveals metadata engine connection strings with credentials.\n- Profiling endpoints are reachable without authentication.\n\n## References\n- https://nvd.nist.gov/vuln/detail/CVE-2026-59092\n- https://github.com/juicedata/juicefs/commit/a46979cdd4082217081ee99b931ddc53d038e47a\n- https://github.com/juicedata/juicefs/issues/7213\n- https://github.com/juicedata/juicefs/pull/7214\n- https://www.vulncheck.com/advisories/juicefs-authentication-bypass-via-pprof-and-metrics-endpoints",
  "product": "go:github.com/juicedata/juicefs",
  "severity": "high",
  "status": "open",
  "summary": "JuiceFS through 1.3.1 exposes debug/metrics endpoints via shared http.DefaultServeMux, enabling authentication bypass and leakage of sensitive metadata connection strings, with potential DoS via profiling handlers.",
  "ticket_id": "CVE-2026-59092"
}