GHSA-P749-9W62-W533
Vulnerability from github – Published: 2026-06-19 13:52 – Updated: 2026-06-19 13:52Summary
The Tilt HUD server mounts Go's net/http/pprof handlers under /debug with no access control. When the HUD is network-exposed, an attacker can read process memory — including session and apiserver tokens — and hold the process under profiling.
Details
A blank import of net/http/pprof registers its handlers on http.DefaultServeMux, which the HUD controller mounts under /debug on both the web router and the apiserver listener. /debug/pprof/heap and /goroutine expose process memory, including the session token (also issued in the Tilt-Token cookie) and the apiserver loopback bearer token; /profile and /trace let a caller sample the process for an arbitrary duration.
Impact
An unauthenticated caller who can reach the listener can extract process memory — including the session and apiserver tokens — and degrade performance by holding the process under CPU profiling or tracing. The leaked tokens compound the missing-authentication finding on the same server.
Conditions for exploitation
- Affected version in
>= 0.19.5, <= 0.37.3. - HUD (or apiserver) listener bound to a non-loopback address (
tilt up --host 0.0.0.0, orTILT_HOSTset). - Network reachability to the listener (default port
10350).
Not affected
- The default loopback-only bind is not reachable from the network.
Workarounds
Use the default loopback bind (omit --host, unset TILT_HOST) so /debug is not remotely reachable. No complete workaround short of upgrading for non-loopback deployments.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.37.3"
},
"package": {
"ecosystem": "Go",
"name": "github.com/tilt-dev/tilt"
},
"ranges": [
{
"events": [
{
"introduced": "0.19.5"
},
{
"fixed": "0.37.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-55882"
],
"database_specific": {
"cwe_ids": [
"CWE-200"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-19T13:52:17Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\nThe Tilt HUD server mounts Go\u0027s `net/http/pprof` handlers under `/debug` with no access control. When the HUD is network-exposed, an attacker can read process memory \u2014 including session and apiserver tokens \u2014 and hold the process under profiling.\n\n## Details\nA blank import of `net/http/pprof` registers its handlers on `http.DefaultServeMux`, which the HUD controller mounts under `/debug` on both the web router and the apiserver listener. `/debug/pprof/heap` and `/goroutine` expose process memory, including the session token (also issued in the `Tilt-Token` cookie) and the apiserver loopback bearer token; `/profile` and `/trace` let a caller sample the process for an arbitrary duration.\n\n## Impact\nAn unauthenticated caller who can reach the listener can extract process memory \u2014 including the session and apiserver tokens \u2014 and degrade performance by holding the process under CPU profiling or tracing. The leaked tokens compound the missing-authentication finding on the same server.\n\n### Conditions for exploitation\n- Affected version in `\u003e= 0.19.5, \u003c= 0.37.3`.\n- HUD (or apiserver) listener bound to a non-loopback address (`tilt up --host 0.0.0.0`, or `TILT_HOST` set).\n- Network reachability to the listener (default port `10350`).\n\n### Not affected\n- The default loopback-only bind is not reachable from the network.\n\n## Workarounds\nUse the default loopback bind (omit `--host`, unset `TILT_HOST`) so `/debug` is not remotely reachable. No complete workaround short of upgrading for non-loopback deployments.",
"id": "GHSA-p749-9w62-w533",
"modified": "2026-06-19T13:52:17Z",
"published": "2026-06-19T13:52:17Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tilt-dev/tilt/security/advisories/GHSA-p749-9w62-w533"
},
{
"type": "WEB",
"url": "https://github.com/tilt-dev/tilt/pull/6776"
},
{
"type": "PACKAGE",
"url": "https://github.com/tilt-dev/tilt"
},
{
"type": "WEB",
"url": "https://github.com/tilt-dev/tilt/releases/tag/v0.37.4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Tilt: Unauthenticated pprof debug endpoints on the Tilt HUD server"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.