Pprof Endpoint High

Importing net/http/pprof and exposing pprof HTTP endpoints in Go code can leak sensitive debug data. The /debug/pprof path allows anonymous information disclosure without authentication. Additionally, writing pprof profiles to HTTP responses or standard output exposes internal debugging info. To prevent information leaks, remove net/http/pprof imports and pprof profile outputs from production code. Explicitly restrict pprof endpoints to localhost to avoid exposing debug data publicly.

Detector ID
go/pprof-endpoint@v1.0
Category
Common Weakness Enumeration (CWE) external icon
Tags
-