{
  "variant_id": "CVE-2026-59092-juicefs-debug-agent-pprof",
  "created_at": "2026-07-03",
  "variant_summary": "Distinct same-root-cause variant of CVE-2026-59092: after the fix (commit a46979cd, PR #7214) that isolated the metrics/WebDAV/sync HTTP servers from http.DefaultServeMux, the debug agent in cmd/main.go:336 (and its twin in sdk/java/libjfs/main.go:573) still calls http.ListenAndServe(addr, nil) and still serves DefaultServeMux, so /debug/pprof/cmdline remains reachable on 127.0.0.1:6060 and leaks the metadata-engine connection string with DB credentials on the FIXED binary. It is NOT a remote bypass (the debug agent is hardcoded to 127.0.0.1, no remote-bind flag, disableable via --no-agent) but a localhost-only fix-coverage gap reachable by a co-located local user or SSRF.",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "github.com/juicedata/juicefs",
  "submitted_target": {
    "target_kind": "git_commit",
    "commit_sha": "f60a90fc0ad52d2bb1f44f38a04d55044fc91d50",
    "version": "1.3.1",
    "ref": null,
    "display": "JuiceFS <= 1.3.1 (vulnerable parent commit f60a90fc, before fix a46979cd)"
  },
  "variant_target": {
    "target_kind": "git_commit",
    "commit_sha": "a46979cdd4082217081ee99b931ddc53d038e47a",
    "version": "1.4.0-dev+unknown",
    "ref": "main",
    "display": "JuiceFS fixed commit a46979cd (PR #7214) — variant reproduced on this fixed commit"
  },
  "same_root_cause_confidence": "high",
  "same_surface_confidence": "medium",
  "claimed_surface": "api_remote",
  "validated_surface": "localhost_debug_agent",
  "required_entrypoint_kind": "api_local_loopback",
  "required_entrypoint_detail": "Unauthenticated HTTP GET to /debug/pprof/cmdline on the JuiceFS debug agent loopback port 127.0.0.1:6060 (first free port in 6060..6099), started for every subcommand unless --no-agent is passed.",
  "attacker_controlled_input": "Unauthenticated HTTP GET request to /debug/pprof/cmdline on the debug agent loopback port (no request body, no auth).",
  "trigger_path": "juicefs <cmd> (e.g. gateway/mount) without --no-agent -> cmd/main.go:332 debugAgentOnce.Do -> cmd/main.go:336 http.ListenAndServe('127.0.0.1:6060', nil) -> http.DefaultServeMux -> net/http/pprof /debug/pprof/cmdline handler -> runtime command line containing redis://:s3cr3tPass@127.0.0.1:6379/1.",
  "observed_impact_class": "credential_disclosure",
  "exploitability_confidence": "medium",
  "evidence_scope": "production_path",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": true,
  "inferred": false,
  "claim_block_reason": null,
  "blocking_mitigation": "The fix (a46979cd) fully closes the REMOTE surface claimed by the CVE: metrics/WebDAV/sync ports now use dedicated muxes and return HTTP 404 for /debug/pprof/* (verified). The residual debug-agent exposure is localhost-only (hardcoded 127.0.0.1, no remote-bind flag) and disableable via --no-agent (and JUICEFS_DEBUG unset for the Java SDK). It does NOT re-open the remote auth-bypass; it is a local-hardening / fix-coverage gap.",
  "file_path": "cmd/main.go",
  "line_start": 332,
  "line_end": 337,
  "secondary_anchors": [
    {
      "file_path": "sdk/java/libjfs/main.go",
      "line_start": 573,
      "line_end": 573
    },
    {
      "file_path": "cmd/main.go",
      "line_start": 22,
      "line_end": 22
    }
  ],
  "review_scope_paths": [
    "cmd/main.go",
    "sdk/java/libjfs/main.go",
    "cmd/mount.go",
    "pkg/fs/http.go",
    "pkg/sync/cluster.go"
  ],
  "artifact_refs": {
    "variant_manifest": "bundle/vuln_variant/variant_manifest.json",
    "validation_verdict": "bundle/vuln_variant/validation_verdict.json",
    "runtime_manifest": "bundle/vuln_variant/runtime_manifest.json",
    "repro_log": "bundle/logs/vuln_variant/variant-run-6.log",
    "root_cause_equivalence": "bundle/vuln_variant/root_cause_equivalence.json",
    "reproducer": [
      "bundle/vuln_variant/reproduction_steps.sh",
      "bundle/vuln_variant/variant_runtime_result.json",
      "bundle/logs/vuln_variant/fixed-debugagent-cmdline.txt",
      "bundle/logs/vuln_variant/vuln-debugagent-cmdline.txt",
      "bundle/logs/vuln_variant/fixed_version.txt"
    ]
  }
}
