GHSA-p749-9w62-w533High

Tilt: Unauthenticated pprof debug endpoints on the Tilt HUD server

Published
June 19, 2026
Last Modified
June 19, 2026

🔗 CVE IDs covered (1)

📋 Description

Summary

The Tilt HUD server mounts Go's net/http/pprof handlers under /debug with no access control. When the HUD is network-exposed, an attacker can read process memory — including session and apiserver tokens — and hold the process under profiling.

Details

A blank import of net/http/pprof registers its handlers on http.DefaultServeMux, which the HUD controller mounts under /debug on both the web router and the apiserver listener. /debug/pprof/heap and /goroutine expose process memory, including the session token (also issued in the Tilt-Token cookie) and the apiserver loopback bearer token; /profile and /trace let a caller sample the process for an arbitrary duration.

Impact

An unauthenticated caller who can reach the listener can extract process memory — including the session and apiserver tokens — and degrade performance by holding the process under CPU profiling or tracing. The leaked tokens compound the missing-authentication finding on the same server.

Conditions for exploitation

  • Affected version in >= 0.19.5, <= 0.37.3.
  • HUD (or apiserver) listener bound to a non-loopback address (tilt up --host 0.0.0.0, or TILT_HOST set).
  • Network reachability to the listener (default port 10350).

Not affected

  • The default loopback-only bind is not reachable from the network.

Workarounds

Use the default loopback bind (omit --host, unset TILT_HOST) so /debug is not remotely reachable. No complete workaround short of upgrading for non-loopback deployments.

🎯 Affected products1

  • go/github.com/tilt-dev/tilt:>= 0.19.5, <= 0.37.3

🔗 References (4)