CVE-2025-26042: Uptime Kuma's Regular Expression in pushdeeer and whapi file Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
(updated )
There is a ReDoS vulnerability risk in the system, specifically when administrators create notification through the web service(pushdeer and whapi). If a string is provided that triggers catastrophic backtracking in the regular expression, it may lead to a ReDoS attack.
References
- gist.github.com/ShiyuBanzhou/26c918f93b07f5ce90e8f7000d29c7a0
- gist.github.com/ShiyuBanzhou/bf4cee61603e152c114fa8c4791f9f28
- github.com/advisories/GHSA-hx7h-9vf7-5xhg
- github.com/louislam/uptime-kuma
- github.com/louislam/uptime-kuma/commit/7a9191761dbef6551c2a0aa6eed5f693ba48d688
- github.com/louislam/uptime-kuma/issues/5574
- github.com/louislam/uptime-kuma/pull/5573
- github.com/louislam/uptime-kuma/security/advisories/GHSA-hx7h-9vf7-5xhg
- nvd.nist.gov/vuln/detail/CVE-2025-26042
Code Behaviors & Features
Detect and mitigate CVE-2025-26042 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →