Summary Arc registers Go's "net/http/pprof" handlers at "/debug/pprof/*" via "app.Use(pprof.New())" in "internal/api/server.go", and "/debug/pprof" is added to "PublicPrefixes" in "cmd/arc/main.go". The auth middleware short-circuits before the token check on prefix match, so the endpoints are reachable without any authentication. Impact Any network-reachable caller (no token required) can: - Fetch "/debug/pprof/heap" — leaks in-memory state: live SQL strings, decoded msgpack records, decompressed request bodies, cached "*TokenInfo" (the auth cache keys on SHA-256 of the plaintext token at "auth.go:543"). - Fetch "/debug/pprof/goroutine?debug=2" — leaks call stacks, identifying internal code paths. - Fetch "/debug/pprof/profile?seconds=N" — pins a CPU core for arbitrary duration. Trivial DoS amplification (one short HTTP request → minutes of server CPU). - Fetch "/debug/pprof/trace" — long-duration execution trace, similar DoS profile. No authentication, no rate limiting, no resource bound on the "seconds" parameter. Patches https://github.com/Basekick-Labs/arc/releases/tag/v26.06.1 Planned mitigation: 1. Gate pprof registration behind an env var ("ARC_DEBUG_PPROF=1") that defaults to off. 2. When enabled, bind pprof to a separate localhost-only listener ("127.0.0.1:6060" via dedicated "net/http" server) so it's never reachable from the public API port. 3. Remove "/debug/pprof" from "PublicPrefixes". 4. Fix the "HasPrefix" bug where ""/debug/pprofX"" matches ""/debug/pprof"". Workarounds - Block "/debug/pprof*" at a reverse proxy / load balancer in front of Arc. - Restrict Arc's API port to known-trusted networks via firewall rules. - Patch the running build: comment out "app.Use(pprof.New())" in "internal/api/server.go" and rebuild. Credits Reported by Alex Manson ("@NeuroWinter" (https://github.com/NeuroWinter), https://neurowinter.com/) on 2026-05-19.