GHSA-2qgm-m29m-cj2h: uptime-kuma vulnerable to Local File Inclusion (LFI) via Improper URL Handling in `Real-Browser` monitor

December 20, 2024

An Improper URL Handling Vulnerability allows an attacker to access sensitive local files on the server by exploiting the file:/// protocol. This vulnerability is triggered via the “real-browser” request type, which takes a screenshot of the URL provided by the attacker. By supplying local file paths, such as file:///etc/passwd, an attacker can read sensitive data from the server.

References

github.com/advisories/GHSA-2qgm-m29m-cj2h
github.com/louislam/uptime-kuma
github.com/louislam/uptime-kuma/commit/6cfae01a0d3727c517afe512fc8fec1d99acf875
github.com/louislam/uptime-kuma/releases/tag/1.23.16
github.com/louislam/uptime-kuma/security/advisories/GHSA-2qgm-m29m-cj2h

Detect and mitigate GHSA-2qgm-m29m-cj2h with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →