GHSA-j93g-rp6m-j32m

### Summary

Arc registers Go's `net/http/pprof` handlers at `/debug/pprof/*` via `app.Use(pprof.New())` in `internal/api/server.go`, and `/debug/pprof` is added to `PublicPrefixes` in `cmd/arc/main.go`. The auth middleware short-circuits before the token check on prefix match, so the endpoints are reachable without any authentication.

### Impact

Any network-reachable caller (no token required) can:

- Fetch `/debug/pprof/heap` — leaks in-memory state: live SQL strings, decoded msgpack records, decompressed request bodies, cached `*TokenInfo` (the auth cache keys on SHA-256 of the plaintext token at `auth.go:543`). - Fetch `/debug/pprof/goroutine?debug=2` — leaks call stacks, identifying internal code paths. - Fetch `/debug/pprof/profile?seconds=N` — pins a CPU core for arbitrary duration. Trivial DoS amplification (one short HTTP request → minutes of server CPU). - Fetch `/debug/pprof/trace` — long-duration execution trace, similar DoS profile.

No authentication, no rate limiting, no resource bound on the `seconds` parameter.

### Patches

https://github.com/Basekick-Labs/arc/releases/tag/v26.06.1

Planned mitigation:

1. Gate pprof registration behind an env var (`ARC_DEBUG_PPROF=1`) that defaults to off. 2. When enabled, bind pprof to a separate localhost-only listener (`127.0.0.1:6060` via dedicated `net/http` server) so it's never reachable from the public API port. 3. Remove `/debug/pprof` from `PublicPrefixes`. 4. Fix the `HasPrefix` bug where `"/debug/pprofX"` matches `"/debug/pprof"`.

### Workarounds

- Block `/debug/pprof*` at a reverse proxy / load balancer in front of Arc. - Restrict Arc's API port to known-trusted networks via firewall rules. - Patch the running build: comment out `app.Use(pprof.New())` in `internal/api/server.go` and rebuild.

### Credits

Reported by Alex Manson ([@NeuroWinter](https://github.com/NeuroWinter), https://neurowinter.com/) on 2026-05-19.