Tilt: Unauthenticated pprof debug endpoints on the Tilt HUD server
Summary
The Tilt HUD server mounts Go'snet/http/pprof handlers under /debug with no access control. When the HUD is network-exposed, an attacker can read process memory — including session and apiserver tokens — and hold the process under profiling.Details
A blank import ofnet/http/pprof registers its handlers on http.DefaultServeMux, which the HUD controller mounts under /debug on both the web router and the apiserver listener. /debug/pprof/heap and /goroutine expose process memory, including the session token (also issued in the Tilt-Token cookie) and the apiserver loopback bearer token; /profile and /trace let a caller sample the process for an arbitrary duration.Impact
An unauthenticated caller who can reach the listener can extract process memory — including the session and apiserver tokens — and degrade performance by holding the process under CPU profiling or tracing. The leaked tokens compound the missing-authentication finding on the same server.Conditions for exploitation
- Affected version in
>= 0.19.5, <= 0.37.3. - HUD (or apiserver) listener bound to a non-loopback address (
tilt up --host 0.0.0.0, orTILT_HOSTset). - Network reachability to the listener (default port
10350).
Not affected
- The default loopback-only bind is not reachable from the network.
Workarounds
Use the default loopback bind (omit--host, unset TILT_HOST) so /debug is not remotely reachable. No complete workaround short of upgrading for non-loopback deployments.