PT-2025-45774 — Npm Uptime Kuma

PT-2025-45774 · Npm · Uptime Kuma

Publicado

2025-10-20

Atualizado

2025-10-20

CVSS v3.1

6.5

Média

Vetor

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Summary

In some Notification types (e.g., Webhook, Telegram), the send() function allows user-controlled renderTemplate input. This leads to a Server-side Template Injection (SSTI) vulnerability that can be exploited to read arbitrary files from the server.

Details

The root cause is how Uptime Kuma renders user-controlled templates via renderTemplate(). The function instantiates a Liquid template engine and parses the template argument without sanitization:

async renderTemplate(template, msg, monitorJSON, heartbeatJSON) {
  const engine = new Liquid();
  const parsedTpl = engine.parse(template);

  // ...
}

In some Notification flows, the send() implementation passes user-editable fields directly into renderTemplate():

// webhook.js
if (notification.webhookContentType === "form-data") {
  const formData = new FormData();
  formData.append("data", JSON.stringify(data));
  config.headers = formData.getHeaders();
  data = formData;
} else if (notification.webhookContentType === "custom") {
  data = await this.renderTemplate(notification.webhookCustomBody, msg, monitorJSON, heartbeatJSON); //<- this line cause SSTI
}

Because notification can be edited by users and is rendered by the Liquid engine without proper sandboxing or a whitelist of allowed operations, an attacker can supply a crafted template that causes the server to read arbitrary files. In particular, Liquid’s template tags (e.g. {% render ... %}) can be abused to include server-side files if the engine is not restricted, resulting in Server-side Template Injection (SSTI) that leaks sensitive file contents.

PoC

Open Uptime Kuma → Notifications → Add or Edit an existing Webhook notification.
Set notification type to Webhook and set Request Body to Custom Body.
Paste the following JSON into the custom request body:

json

{
 "Title": {% render '/etc/passwd' %}
}

Click test.
Your webhook will receive the file content

Impact

This is a post-authentication Server-side Template Injection (SSTI) vulnerability that allows an authenticated user to perform arbitrary file read on the server.

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-1336CWE-36

Identificadores relacionados

GHSA-VFFH-C9PQ-4CRH

Produtos afetados

Uptime Kuma