Active Debug Code
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-489: Active Debug Code |
| OWASP | A06:2017 - Security Misconfiguration |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
The Go pprof profiling endpoints are exposed on /debug/pprof in production, which can leak detailed information about your server’s internals. This happens when ’net/http/pprof’ is imported without restricting access to these routes.
Impact#
If left open, attackers could access sensitive profiling data like memory usage, goroutine dumps, or CPU profiles, making it easier to exploit vulnerabilities or perform denial-of-service attacks. This exposure could aid in reconnaissance and weaken your application’s overall security.