apache · JisoLya · Jan 26, 2026 · Jan 27, 2026 · Jan 29, 2026 · Jan 29, 2026
diff --git a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/config/ServerOptions.java b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/config/ServerOptions.java
@@ -439,15 +439,15 @@ public class ServerOptions extends OptionHolder {
                     "arthas.ip",
                     "arthas bound ip",
                     disallowEmpty(),
-                    "0.0.0.0"
+                    "127.0.0.1"
             );
 
     public static final ConfigOption<String> ARTHAS_DISABLED_COMMANDS =
             new ConfigOption<>(
                     "arthas.disabledCommands",
                     "arthas disabled commands",
                     disallowEmpty(),
-                    "jad"
+                    "jad,ognl,vmtool"
             );
 
     public static final ConfigOption<Boolean> ALLOW_TRACE =

diff --git a/hugegraph-server/hugegraph-dist/src/assembly/static/conf/rest-server.properties b/hugegraph-server/hugegraph-dist/src/assembly/static/conf/rest-server.properties
@@ -12,10 +12,10 @@ batch.max_write_ratio=80
 batch.max_write_threads=0
 
 # configuration of arthas
-arthas.telnet_port=8562
-arthas.http_port=8561
+arthas.telnetPort=8562
+arthas.httpPort=8561
 arthas.ip=127.0.0.1
-arthas.disabled_commands=jad
+arthas.disabledCommands=jad,ognl,vmtool
 
 # authentication configs
 #auth.authenticator=org.apache.hugegraph.auth.StandardAuthenticator

diff --git a/hugegraph-store/hg-store-node/src/main/java/org/apache/hugegraph/store/node/AppConfig.java b/hugegraph-store/hg-store-node/src/main/java/org/apache/hugegraph/store/node/AppConfig.java
@@ -211,10 +211,10 @@ public class ArthasConfig {
         @Value("${arthas.httpPort:8565}")
         private String httpPort;
 
-        @Value("${arthas.ip:0.0.0.0}")
+        @Value("${arthas.ip:127.0.0.1}")
         private String arthasip;
 
-        @Value("${arthas.disabledCommands:jad}")
+        @Value("${arthas.disabledCommands:jad,ognl,vmtool}")
         private String disCmd;
     }
 

diff --git a/.../hg-store-node/src/main/java/org/apache/hugegraph/store/node/controller/PartitionAPI.java b/.../hg-store-node/src/main/java/org/apache/hugegraph/store/node/controller/PartitionAPI.java
@@ -22,6 +22,7 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Objects;
 
 import org.apache.hugegraph.pd.common.PDException;
 import org.apache.hugegraph.pd.grpc.Metapb;
@@ -44,6 +45,8 @@
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.context.request.RequestContextHolder;
+import org.springframework.web.context.request.ServletRequestAttributes;
 
 import com.alipay.sofa.jraft.entity.PeerId;
 import com.alipay.sofa.jraft.util.Endpoint;
@@ -189,6 +192,16 @@ public Map<String, Object> cleanPartition(@PathVariable(value = "id") int id) th
     @GetMapping(value = "/arthasstart", produces = "application/json")
     public Map<String, Object> arthasstart(
             @RequestParam(required = false, defaultValue = "") String flags) {
+        String remoteAddr = ((ServletRequestAttributes) Objects.requireNonNull(
+                RequestContextHolder.getRequestAttributes())).getRequest().getRemoteAddr();
+
+        boolean isLocalRequest = "127.0.0.1".equals(remoteAddr) ||
+                                 "[0:0:0:0:0:0:0:1]".equals(remoteAddr);
+        if (!isLocalRequest){
+            List<String> ret = new ArrayList<>();
+            ret.add("Arthas start is ONLY allowed from localhost.");
+            return forbiddenMap("arthasstart", ret);
+        }
         HashMap<String, String> configMap = new HashMap<>();
         configMap.put("arthas.telnetPort", appConfig.getArthasConfig().getTelnetPort());
         configMap.put("arthas.httpPort", appConfig.getArthasConfig().getHttpPort());
@@ -225,6 +238,13 @@ public Map<String, Object> okMap(String k, Object v) {
         return map;
     }
 
+    public Map<String, Object> forbiddenMap(String k, Object v){
+        HashMap<String, Object> map = new HashMap<>();
+        map.put("status", 403);
+        map.put(k,v);
+        return map;
+    }
+
     @Data
     public class Raft {
 

diff --git a/hugegraph-store/hg-store-node/src/main/resources/application.yml b/hugegraph-store/hg-store-node/src/main/resources/application.yml
@@ -49,3 +49,10 @@ logging:
   config: classpath:log4j2-dev.xml
   level:
     root: info
+
+arthas:
+  telnetPort: 8566
+  httpPort: 8565
+  # Only allow starting arthas locally
+  ip: 127.0.0.1
+  disabledCommands: jad,ognl,vmtool