Skip to content

juicefs webdav exposes /debug/pprof and /metrics with no auth on the public listen address #7213

Description

@geo-chen

reported via email on 26 May 2026 but no responses received:

I found an unauthenticated information disclosure and denial-of-service issue in juicefs webdav that affects the latest release (v1.3.1) and HEAD (commit f3bab76).

Root cause: the WebDAV server registers its handler on Go's default ServeMux and passes nil to http.ListenAndServe. Because the cmd package side-effect-imports net/http/pprof and registers the Prometheus /metrics handler on the same default mux, both /debug/pprof/* and /metrics are reachable on the WebDAV listen address without going through the Basic Auth check in pkg/fs/http.go.

Impact:

  • /debug/pprof/cmdline returns the full process command line, which on a typical juicefs deployment contains the metadata-engine URL (Redis, MySQL, PostgreSQL, or TiKV DSN). If the DSN contains credentials, those credentials leak to any unauthenticated caller. With the metadata DSN an attacker has full read/write access to filesystem metadata.
  • /debug/pprof/heap, /goroutine, /allocs, /mutex, /trace return runtime state and stack traces that disclose mount points, cache paths, and internal architecture.
  • /debug/pprof/profile?seconds=N and /debug/pprof/trace?seconds=N hold CPU and runtime resources for arbitrary durations and enable denial of service.
  • /metrics returns the full Prometheus metric set, which the operator intended to bind only to 127.0.0.1:9567.

Setting WEBDAV_USER and WEBDAV_PASSWORD does not mitigate this. The documentation in docs/en/deployment/webdav.md and docs/en/guide/gateway.md recommends binding to 0.0.0.0, so most deployments are reachable from at least the local network.

I have a complete reproduction in the attached writeup and have validated end to end against the official juicedata/mount:latest image.

Recommended fix: use a dedicated http.ServeMux for the WebDAV handler (and for /metrics) and pass it explicitly to http.ListenAndServe so that the default mux is no longer published on user-facing ports.

Metadata

Metadata

Assignees

Labels

kind/bugSomething isn't working

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions