Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
Uptime Kuma is an open source, self-hosted monitoring tool. In versions 1.23.0 through 2.2.0, the fix from GHSA-vffh-c9pq-4crh doesn't fully work to preventServer-side Template Injection (SSTI). The three mitigations added to the Liquid engine (root, relativeReference, dynamicPartials) only block quoted paths. If a project uses an unquoted absolute path, attackers can still read any file on the server. The original fix in notification-provider.js only constrains the first two steps of LiquidJS's file resolution (via root, relativeReference, and dynamicPartials options), but the third step, the require.resolve() fallback in liquid.node.js has no containment check, allowing unquoted absolute paths like /etc/passwd to resolve successfully. Quoted paths happen to be blocked only because the literal quote characters cause require.resolve('"/etc/passwd"') to throw a MODULE_NOT_FOUND error, not because of any intentional security measure. This issue has been fixed in version 2.2.1.
AnalysisAI
Uptime Kuma versions 1.23.0 through 2.2.0 contain an incomplete Server-Side Template Injection (SSTI) vulnerability in the LiquidJS templating engine that allows authenticated attackers to read arbitrary files from the server. A prior fix (GHSA-vffh-c9pq-4crh) attempted to restrict file path access through three mitigation options (root, relativeReference, dynamicPartials), but this fix only blocks quoted paths; attackers can bypass the mitigation by using unquoted absolute paths like /etc/passwd that successfully resolve through the require.resolve() fallback mechanism in liquid.node.js. The vulnerability requires low privileges (authenticated access) but can result in high confidentiality impact, making it a notable information disclosure risk for self-hosted monitoring deployments.
Technical ContextAI
The vulnerability exists in Uptime Kuma's use of the LiquidJS templating engine (a Node.js implementation of Shopify's Liquid template language) within the notification provider system. The root cause, classified as CWE-98 (Improper Control of Filename for Include/Require Statement in Program), stems from an incomplete implementation of file path constraints in notification-provider.js. The initial mitigation added three LiquidJS configuration options (root, relativeReference, dynamicPartials) intended to restrict template file resolution, but these options only prevent path traversal when paths are quoted. The third-stage file resolution mechanism in liquid.node.js uses Node.js's require.resolve() function without any containment checks, allowing unquoted absolute paths to bypass the first two stages of constraint. Quoted paths appear secured only incidentally because literal quote characters in the path argument cause require.resolve('"/etc/passwd"') to fail with MODULE_NOT_FOUND, not due to intentional security design. The affected product is Uptime Kuma (cpe:2.3:a:louislam:uptime-kuma:*:*:*:*:*:*:*:*), an open-source Node.js-based self-hosted monitoring tool.
RemediationAI
Upgrade Uptime Kuma to version 2.2.1 or later immediately, as this version includes the complete fix for the LiquidJS file path containment issue (see https://github.com/louislam/uptime-kuma/releases/tag/2.2.1). For organizations unable to patch immediately, restrict network access to the Uptime Kuma instance to trusted administrative networks only, limit notification template usage to non-sensitive data, and audit all configured notification providers to ensure they do not include user-controlled template content. Additionally, review access control for Uptime Kuma user accounts and revoke credentials for any accounts that are not actively needed, since the vulnerability requires authenticated access. Monitor file access logs on the server for any suspicious access patterns targeting sensitive system files like /etc/passwd or configuration directories.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Same weakness CWE-98 – PHP Remote File Inclusion
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13670