PT-2025-45774 — Npm Uptime Kuma

PT-2025-45774 · Npm · Uptime Kuma

Published

2025-10-20

Updated

2025-10-20

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Summary

In some Notification types (e.g., Webhook, Telegram), the send() function allows user-controlled renderTemplate input. This leads to a Server-side Template Injection (SSTI) vulnerability that can be exploited to read arbitrary files from the server.

Details

The root cause is how Uptime Kuma renders user-controlled templates via renderTemplate(). The function instantiates a Liquid template engine and parses the template argument without sanitization:

async renderTemplate(template, msg, monitorJSON, heartbeatJSON) {
  const engine = new Liquid();
  const parsedTpl = engine.parse(template);

  // ...
}

In some Notification flows, the send() implementation passes user-editable fields directly into renderTemplate():

// webhook.js
if (notification.webhookContentType === "form-data") {
  const formData = new FormData();
  formData.append("data", JSON.stringify(data));
  config.headers = formData.getHeaders();
  data = formData;
} else if (notification.webhookContentType === "custom") {
  data = await this.renderTemplate(notification.webhookCustomBody, msg, monitorJSON, heartbeatJSON); //<- this line cause SSTI
}

Because notification can be edited by users and is rendered by the Liquid engine without proper sandboxing or a whitelist of allowed operations, an attacker can supply a crafted template that causes the server to read arbitrary files. In particular, Liquid’s template tags (e.g. {% render ... %}) can be abused to include server-side files if the engine is not restricted, resulting in Server-side Template Injection (SSTI) that leaks sensitive file contents.

PoC

Open Uptime Kuma → Notifications → Add or Edit an existing Webhook notification.
Set notification type to Webhook and set Request Body to Custom Body.
Paste the following JSON into the custom request body:

json

{
 "Title": {% render '/etc/passwd' %}
}

Click test.
Your webhook will receive the file content

Impact

This is a post-authentication Server-side Template Injection (SSTI) vulnerability that allows an authenticated user to perform arbitrary file read on the server.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1336CWE-36

Related Identifiers

GHSA-VFFH-C9PQ-4CRH

Affected Products

Uptime Kuma