CVE-2023-36821

Name of the Vulnerable Software and Affected Versions Uptime Kuma versions prior to 1.22.1

Description The issue allows an authenticated attacker to install a maliciously crafted plugin, potentially leading to remote code execution. Uptime Kuma permits authenticated users to install plugins from an official list, although this feature is currently disabled in the web interface. The corresponding API endpoints remain available after login. A malicious plugin can exploit npm scripts to gain remote code execution because the plugin is not validated against the official list or installed with npm install --ignore-scripts.

Recommendations For versions prior to 1.22.1, update to version 1.22.1 or later to resolve the issue. As a temporary workaround, consider disabling the plugin installation feature until a patch is available. Restrict access to the API endpoints related to plugin installation to minimize the risk of exploitation. Avoid using the npm install command without the --ignore-scripts option in the plugin installation directory until the issue is resolved.