reported via email on 26 May 2026 but no responses received:
I found an unauthenticated information disclosure and denial-of-service issue in juicefs webdav that affects the latest release (v1.3.1) and HEAD (commit f3bab76).
Root cause: the WebDAV server registers its handler on Go's default ServeMux and passes nil to http.ListenAndServe. Because the cmd package side-effect-imports net/http/pprof and registers the Prometheus /metrics handler on the same default mux, both /debug/pprof/* and /metrics are reachable on the WebDAV listen address without going through the Basic Auth check in pkg/fs/http.go.
Impact:
- /debug/pprof/cmdline returns the full process command line, which on a typical juicefs deployment contains the metadata-engine URL (Redis, MySQL, PostgreSQL, or TiKV DSN). If the DSN contains credentials, those credentials leak to any unauthenticated caller. With the metadata DSN an attacker has full read/write access to filesystem metadata.
- /debug/pprof/heap, /goroutine, /allocs, /mutex, /trace return runtime state and stack traces that disclose mount points, cache paths, and internal architecture.
- /debug/pprof/profile?seconds=N and /debug/pprof/trace?seconds=N hold CPU and runtime resources for arbitrary durations and enable denial of service.
- /metrics returns the full Prometheus metric set, which the operator intended to bind only to 127.0.0.1:9567.
Setting WEBDAV_USER and WEBDAV_PASSWORD does not mitigate this. The documentation in docs/en/deployment/webdav.md and docs/en/guide/gateway.md recommends binding to 0.0.0.0, so most deployments are reachable from at least the local network.
I have a complete reproduction in the attached writeup and have validated end to end against the official juicedata/mount:latest image.
Recommended fix: use a dedicated http.ServeMux for the WebDAV handler (and for /metrics) and pass it explicitly to http.ListenAndServe so that the default mux is no longer published on user-facing ports.
reported via email on 26 May 2026 but no responses received:
I found an unauthenticated information disclosure and denial-of-service issue in
juicefs webdavthat affects the latest release (v1.3.1) and HEAD (commit f3bab76).Root cause: the WebDAV server registers its handler on Go's default ServeMux and passes nil to http.ListenAndServe. Because the cmd package side-effect-imports net/http/pprof and registers the Prometheus /metrics handler on the same default mux, both /debug/pprof/* and /metrics are reachable on the WebDAV listen address without going through the Basic Auth check in pkg/fs/http.go.
Impact:
Setting WEBDAV_USER and WEBDAV_PASSWORD does not mitigate this. The documentation in docs/en/deployment/webdav.md and docs/en/guide/gateway.md recommends binding to 0.0.0.0, so most deployments are reachable from at least the local network.
I have a complete reproduction in the attached writeup and have validated end to end against the official juicedata/mount:latest image.
Recommended fix: use a dedicated http.ServeMux for the WebDAV handler (and for /metrics) and pass it explicitly to http.ListenAndServe so that the default mux is no longer published on user-facing ports.