{
  "parent_cve": "CVE-2026-59092",
  "parent_root_cause": "JuiceFS HTTP servers started with a nil handler (defaulting to http.DefaultServeMux) while _ \"net/http/pprof\" is imported, exposing net/http/pprof handlers (incl. /debug/pprof/cmdline) without authentication. Parent instance: exposeMetrics() in cmd/mount.go -> http.Serve(ln, nil) on the operator-bindable metrics port.",
  "variant_root_cause": "Same mechanism on the debug agent: cmd/main.go:336 http.ListenAndServe(debugAgent, nil) with debugAgent='127.0.0.1:6060', plus sdk/java/libjfs/main.go:573 http.ListenAndServe('127.0.0.1:%d', nil). Both serve DefaultServeMux and expose the same net/http/pprof handlers.",
  "shared_sink": "net/http/pprof /debug/pprof/cmdline handler -> runtime process command line containing the metadata engine URL with DB credentials (redis://:PASSWORD@host:port/db).",
  "shared_mechanism": "nil-handler http.Server/ListenAndServe/ListenAndServeTLS defaults to http.DefaultServeMux; _ \"net/http/pprof\" registers /debug/pprof/* on DefaultServeMux; no authentication layer in front.",
  "shared_imports": ["cmd/main.go:22 _ \"net/http/pprof\"", "sdk/java/libjfs/main.go:54 _ \"net/http/pprof\"", "cmd/mount.go:26 _ \"net/http/pprof\"", "cmd/sync.go:23 _ \"net/http/pprof\""],
  "difference_from_parent": {
    "entry_point": "debug agent loopback port 127.0.0.1:6060 (vs metrics port 0.0.0.0:9567)",
    "bind_address": "hardcoded 127.0.0.1, not operator-configurable to 0.0.0.0 (vs operator-bindable metrics port)",
    "trust_boundary": "local/loopback (co-located user or SSRF) vs remote (parent CVE)",
    "fix_coverage": "the fix (a46979cd) converted the three remote-facing servers to dedicated muxes but did NOT touch the debug agent (empty diff for cmd/main.go)"
  },
  "equivalence_confidence": "high",
  "equivalence_rationale": "Identical code-level mechanism (nil handler -> DefaultServeMux + net/http/pprof import) and identical sink (/debug/pprof/cmdline leaking the same metadata credential). The only differences are the entry-point port and the bind address (loopback vs remote), which change the trust boundary and severity but not the root cause. Therefore same_root_cause_confidence=high; same_surface_confidence=medium (different network surface).",
  "fix_commit": "a46979cdd4082217081ee99b931ddc53d038e47a",
  "fix_pr": "#7214"
}
