Arc: Unauthenticated access to Go debug pprof endpoints leaks runtime state and enables CPU-burn DoS

Summary

Arc registers Go's net/http/pprof handlers at /debug/pprof/* via app.Use(pprof.New()) in internal/api/server.go, and /debug/pprof is added to PublicPrefixes in cmd/arc/main.go. The auth middleware short-circuits before the token check on prefix match, so the endpoints are reachable without any authentication.

Impact

Any network-reachable caller (no token required) can:

• Fetch /debug/pprof/heap — leaks in-memory state: live SQL strings, decoded msgpack records, decompressed request bodies, cached *TokenInfo (the auth cache keys on SHA-256 of the plaintext token at auth.go:543).
• Fetch /debug/pprof/goroutine?debug=2 — leaks call stacks, identifying internal code paths.
• Fetch /debug/pprof/profile?seconds=N — pins a CPU core for arbitrary duration. Trivial DoS amplification (one short HTTP request → minutes of server CPU).
• Fetch /debug/pprof/trace — long-duration execution trace, similar DoS profile.

No authentication, no rate limiting, no resource bound on the seconds parameter.

Patches

https://github.com/Basekick-Labs/arc/releases/tag/v26.06.1

Planned mitigation:

1. Gate pprof registration behind an env var (ARC_DEBUG_PPROF=1) that defaults to off.
2. When enabled, bind pprof to a separate localhost-only listener (127.0.0.1:6060 via dedicated net/http server) so it's never reachable from the public API port.
3. Remove /debug/pprof from PublicPrefixes.
4. Fix the HasPrefix bug where "/debug/pprofX" matches "/debug/pprof".

Workarounds

• Block /debug/pprof* at a reverse proxy / load balancer in front of Arc.
• Restrict Arc's API port to known-trusted networks via firewall rules.
• Patch the running build: comment out app.Use(pprof.New()) in internal/api/server.go and rebuild.

Credits

Reported by Alex Manson (@NeuroWinter, https://neurowinter.com/) on 2026-05-19.