CVE-2023-49805

Name of the Vulnerable Software and Affected Versions Uptime Kuma versions prior to 1.23.9

Description Uptime Kuma is a self-hosted monitoring tool that uses WebSocket with Socket.io. Prior to version 1.23.9, the application does not verify the source of communication, allowing third-party websites to access the application on behalf of their clients. The server does not validate the Origin header, enabling other sites to open connections to the server and communicate with it. Although other websites still need to authenticate to access most features, this can be used to circumvent firewall protections. Without login credentials, such a connection cannot access protected endpoints containing sensitive data, but it may allow attackers to further exploit unseen vulnerabilities. Users with "No-auth" mode configured who rely on a reverse proxy or firewall for protection would be especially vulnerable.

Recommendations For versions prior to 1.23.9, update to version 1.23.9 or later, which includes additional verification of the HTTP Origin header in the socket.io connection handler. As a temporary workaround, consider setting the environment variable UPTIME KUMA WS ORIGIN CHECK=bypass to override the default behavior, but be aware that this may introduce additional security risks.