CVE-2026-45044
Unauthenticated CPU Profiling DoS in RustFS
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rustfs | rustfs | to 1.0.0-beta.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in RustFS, a distributed object storage system built in Rust, prior to version 1.0.0-beta.2. The admin router explicitly whitelists the endpoints /profile/cpu and /profile/memory from the authentication layer, allowing any unauthenticated HTTP client to access profiling handlers without credentials.
On supported builds, such as those using glibc, the /profile/cpu handler triggers a fixed 60-second CPU profiling operation for each request. This can cause significant CPU resource consumption.
Additionally, the handler returns the serverβs absolute filesystem path in the response body, which leads to information disclosure.
This combination of unauthenticated access, resource exhaustion potential, and information disclosure constitutes the vulnerability, which was fixed in version 1.0.0-beta.2.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthenticated attackers to invoke CPU profiling operations that consume significant CPU resources, potentially leading to denial of service (DoS) conditions.
Furthermore, the vulnerability causes information disclosure by revealing the serverβs absolute filesystem path in the response, which could aid attackers in further exploitation or reconnaissance.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade RustFS to version 1.0.0-beta.2 or later, where the issue has been fixed.
Until the upgrade is applied, consider restricting access to the /profile/cpu and /profile/memory endpoints to trusted and authenticated users only, to prevent unauthenticated clients from invoking the profiling handlers.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated access to profiling endpoints, leading to potential denial of service and information disclosure of the server's absolute filesystem path.
Such unauthorized access and information disclosure could negatively impact compliance with standards and regulations like GDPR and HIPAA, which require protection of system integrity and confidentiality of sensitive information.
Specifically, the information disclosure could aid attackers in further exploitation, potentially compromising personal or sensitive data, which is a violation of these regulations' security requirements.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending unauthenticated HTTP requests to the vulnerable endpoints `/profile/cpu` and `/profile/memory` on the RustFS server and observing the responses.
- Send a request to `/profile/cpu` and check if the server starts a CPU profiling operation (which may cause high CPU usage) and returns the server's absolute filesystem path in the response.
- On musl/Docker builds, a 500 Internal Server Error response instead of 401/403 indicates the authentication bypass.
- Verify that the correctly secured endpoint `/rustfs/admin/debug/pprof/profile` returns a 403 Access Denied error.
Example command using curl to test the `/profile/cpu` endpoint:
- curl -i http://<rustfs-server>/profile/cpu
If the response includes the absolute filesystem path or the server consumes high CPU for about 60 seconds, the vulnerability is present.