Information disclosure vulnerability at /debug/vars

[alchemydc]

The /debug/vars endpoint exposed by the net/http/pprof package in Go provides a JSON output of the values of all expvar variables. These variables can include a variety of information about the internal state of your application, such as:

• Command-line arguments with which the program was started
• The number of garbage collections
• The number of goroutines
• Memory statistics
• Information about the last garbage collection

While this information is not typically sensitive in the sense of revealing secrets or private data, it can provide a lot of information about the internal workings of your application. This could potentially be used by an attacker to understand more about your system and find ways to exploit it.

Therefore, it's generally a good idea to not expose this endpoint in a production environment, or at least restrict access to it.