# CVE-2026-59092

## Summary

JuiceFS through 1.3.1 exposes debug/metrics endpoints via shared http.DefaultServeMux, enabling authentication bypass and leakage of sensitive metadata connection strings, with potential DoS via profiling handlers.

## Description

## Summary
JuiceFS through 1.3.1 contains an authentication bypass in its HTTP debug/metrics handler registration. Because handlers are registered on the shared `http.DefaultServeMux`, unauthenticated remote attackers can access sensitive `/debug/pprof/*` and metrics endpoints. The `/debug/pprof/cmdline` endpoint can leak process command-line arguments that include metadata engine connection strings with database credentials, enabling full read/write access to filesystem metadata. Other pprof handlers leak internal state and profiling handlers can be abused for denial-of-service.

## Technical Details
- Root cause: improper handler registration on the shared `http.DefaultServeMux` exposes debug/metrics handlers without authentication.
- Impact: authentication bypass; disclosure of metadata engine connection strings (DB credentials) via `/debug/pprof/cmdline`; access to internal state via other pprof handlers; potential DoS via profiling endpoints.
- Fixed: commit `a46979cdd4082217081ee99b931ddc53d038e47a`.

## Reproduction Steps
1. Deploy a vulnerable JuiceFS version (<= 1.3.1) with HTTP debug/metrics handlers enabled (default mux used).
2. From an unauthenticated remote host, send an HTTP request to the pprof endpoint:
   ```bash
   curl http://<juicefs-host>:<port>/debug/pprof/cmdline
   ```
3. Observe the response containing the process command line, which may include metadata engine connection strings with credentials.
4. (Optional) Access other pprof endpoints (e.g., `/debug/pprof/profile`) to trigger profiling/DoS behaviors.

## Indicators of Success
- Unauthenticated access to `/debug/pprof/cmdline` returns command-line arguments.
- Command-line output reveals metadata engine connection strings with credentials.
- Profiling endpoints are reachable without authentication.

## References
- https://nvd.nist.gov/vuln/detail/CVE-2026-59092
- https://github.com/juicedata/juicefs/commit/a46979cdd4082217081ee99b931ddc53d038e47a
- https://github.com/juicedata/juicefs/issues/7213
- https://github.com/juicedata/juicefs/pull/7214
- https://www.vulncheck.com/advisories/juicefs-authentication-bypass-via-pprof-and-metrics-endpoints

## Metadata

- Product: go:github.com/juicedata/juicefs
- Severity: high
- Status: open
