Skip to content

[BUG] Datadog Cluster Agent exposes /debug/pprof on port 5000 (CVE-2019-11248 variant) #44578

New issue
New issue
Open
Open
[BUG] Datadog Cluster Agent exposes /debug/pprof on port 5000 (CVE-2019-11248 variant)#44578
Labels
oss/0External contributions priority 0pendingLabel for issues waiting a Datadog member's response.team/container-platformThe Container Platform Team
@volkorny

Description

@volkorny
volkorny
opened on Dec 23, 2025

Agent version

7

Bug Report

The Datadog Cluster Agent service exposes the Go net/http/pprof debugging endpoints on port 5000 (default). This port is typically open to the entire cluster network (Pod-to-Pod communication).

By default, the Go pprof tool registers its handlers on the default HTTP mux. When the Cluster Agent starts an HTTP server on port 5000 for metrics or health checks, it inadvertently exposes the profiling data.

This is a violation of secure defaults similar to CVE-2019-11248, as it allows any compromised pod or internal actor to profile the Cluster Agent, extract heap dumps, view command-line arguments, and map internal memory structures.

Reproduction Steps

No response

Agent configuration

No response

Operating System

No response

Other environment details

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    oss/0External contributions priority 0pendingLabel for issues waiting a Datadog member's response.team/container-platformThe Container Platform Team

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions