Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, Dgraphl exposes the process command line through the unauthenticated /debug/vars endpoin…

Dgraph, an open source distributed GraphQL database, contains a vulnerability in versions prior to 25.3.3 that exposes the process command line through the unauthenticated /debug/vars endpoint. Attackers can retrieve admin tokens commonly supplied via startup flags and replay them using the X-Dgraph-AuthToken header to access admin-only endpoints. This is a variant of a previously fixed /debug/pprof/cmdline issue, but the fix was incomplete as it only blocked that specific endpoint while still serving http.DefaultServeMux. The vulnerability allows unauthenticated privilege escalation and is fixed in version 25.3.3.