Advisory Database
  • Advisories
  • Dependency Scanning
  1. npm
  2. ›
  3. uptime-kuma
  4. ›
  5. CVE-2025-26042

CVE-2025-26042: Uptime Kuma's Regular Expression in pushdeeer and whapi file Leads to ReDoS Vulnerability Due to Catastrophic Backtracking

March 31, 2025 (updated August 7, 2025)

There is a ReDoS vulnerability risk in the system, specifically when administrators create notification through the web service(pushdeer and whapi). If a string is provided that triggers catastrophic backtracking in the regular expression, it may lead to a ReDoS attack.

References

  • gist.github.com/ShiyuBanzhou/26c918f93b07f5ce90e8f7000d29c7a0
  • gist.github.com/ShiyuBanzhou/bf4cee61603e152c114fa8c4791f9f28
  • github.com/advisories/GHSA-hx7h-9vf7-5xhg
  • github.com/louislam/uptime-kuma
  • github.com/louislam/uptime-kuma/commit/7a9191761dbef6551c2a0aa6eed5f693ba48d688
  • github.com/louislam/uptime-kuma/issues/5574
  • github.com/louislam/uptime-kuma/pull/5573
  • github.com/louislam/uptime-kuma/security/advisories/GHSA-hx7h-9vf7-5xhg
  • nvd.nist.gov/vuln/detail/CVE-2025-26042

Code Behaviors & Features

Detect and mitigate CVE-2025-26042 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions starting from 1.15.0 up to 1.23.16, all versions starting from 2.0.0-beta.0 before 2.0.0-beta.2

Fixed versions

  • 2.0.0-beta.2

Solution

Upgrade to version 2.0.0-beta.2 or above.

Impact 6 MEDIUM

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:H

Learn more about CVSS

Weakness

  • CWE-1333: Inefficient Regular Expression Complexity

Source file

npm/uptime-kuma/CVE-2025-26042.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Sat, 23 Aug 2025 00:20:22 +0000.