Nezha
Monthly
Host header injection in Nezha Monitoring versions 1.0.0 through 2.2.0 allows unauthenticated remote attackers to redirect OAuth2 callback URLs to attacker-controlled domains, enabling OAuth token theft and account takeover. The flaw resides in the getRedirectURL function (oauth2.go:22-29), which blindly concatenates the HTTP request's Host header with a fixed path when constructing the OAuth2 redirect URL, with no allowlisting or validation performed. A vendor-released patch exists in version 2.2.0; no public exploit has been identified at time of analysis and the vulnerability is not in the CISA KEV catalog.
Unbounded WebSocket stream allocation in Nezha Monitoring versions 1.0.0 through 2.1.x allows any authenticated dashboard user to exhaust server memory and crash the monitoring service. The two affected endpoints - POST /api/v1/terminal and POST /api/v1/file - each insert a long-lived ioStreamContext into a global Go map with no per-user rate limit, no global semaphore, and no per-server connection cap, making repeated calls a trivial denial-of-service vector. No public exploit code has been identified at time of analysis, and the issue is not listed in CISA KEV; the vendor released a patch in version 2.2.0.
Incorrect authorization in Nezha Monitoring's DDNS profile subsystem allows an authenticated low-privilege member to pre-populate their server record with nonexistent DDNS profile IDs, then hijack any future victim-owned DDNS profile whose auto-assigned ID collides with a pre-stored value. Affected versions span 2.0.14 through pre-2.1.0 of the self-hosted nezhahq/nezha platform. When the collision occurs, the DDNS worker dispatches DNS updates on behalf of the attacker's server using the victim's DDNS provider credentials and configuration, achieving cross-tenant DNS manipulation and disrupting the victim's legitimate DDNS service. No public exploit identified at time of analysis; vendor-released patch available in version 2.1.0.
Nezha Monitoring versions 2.0.14 through 2.1.0 (exclusive) allows any authenticated user to exploit the NAT-based Host claiming mechanism to preempt all dashboard routing, resulting in complete availability loss for the monitoring platform. The vulnerability stems from CWE-284 (Improper Access Control) - the application fails to properly restrict which authenticated principals may register or override a dashboard Host identity via NAT traversal. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Unauthenticated path traversal in Nezha Monitoring (nezhahq/nezha) before 2.0.13 allows remote attackers to read arbitrary files from the dashboard host by abusing the NoRoute fallbackToFrontend handler. The handler matches the /dashboard prefix with strings.HasPrefix rather than a path-segment comparison, so a request like /dashboard../data/config.yaml is normalized by path.Join into the application's data directory and served by http.ServeFile. No public exploit identified at time of analysis, but the bypass is trivially reproducible from the disclosed root-cause writeup.
Host header injection in Nezha Monitoring versions 1.0.0 through 2.2.0 allows unauthenticated remote attackers to redirect OAuth2 callback URLs to attacker-controlled domains, enabling OAuth token theft and account takeover. The flaw resides in the getRedirectURL function (oauth2.go:22-29), which blindly concatenates the HTTP request's Host header with a fixed path when constructing the OAuth2 redirect URL, with no allowlisting or validation performed. A vendor-released patch exists in version 2.2.0; no public exploit has been identified at time of analysis and the vulnerability is not in the CISA KEV catalog.
Unbounded WebSocket stream allocation in Nezha Monitoring versions 1.0.0 through 2.1.x allows any authenticated dashboard user to exhaust server memory and crash the monitoring service. The two affected endpoints - POST /api/v1/terminal and POST /api/v1/file - each insert a long-lived ioStreamContext into a global Go map with no per-user rate limit, no global semaphore, and no per-server connection cap, making repeated calls a trivial denial-of-service vector. No public exploit code has been identified at time of analysis, and the issue is not listed in CISA KEV; the vendor released a patch in version 2.2.0.
Incorrect authorization in Nezha Monitoring's DDNS profile subsystem allows an authenticated low-privilege member to pre-populate their server record with nonexistent DDNS profile IDs, then hijack any future victim-owned DDNS profile whose auto-assigned ID collides with a pre-stored value. Affected versions span 2.0.14 through pre-2.1.0 of the self-hosted nezhahq/nezha platform. When the collision occurs, the DDNS worker dispatches DNS updates on behalf of the attacker's server using the victim's DDNS provider credentials and configuration, achieving cross-tenant DNS manipulation and disrupting the victim's legitimate DDNS service. No public exploit identified at time of analysis; vendor-released patch available in version 2.1.0.
Nezha Monitoring versions 2.0.14 through 2.1.0 (exclusive) allows any authenticated user to exploit the NAT-based Host claiming mechanism to preempt all dashboard routing, resulting in complete availability loss for the monitoring platform. The vulnerability stems from CWE-284 (Improper Access Control) - the application fails to properly restrict which authenticated principals may register or override a dashboard Host identity via NAT traversal. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Unauthenticated path traversal in Nezha Monitoring (nezhahq/nezha) before 2.0.13 allows remote attackers to read arbitrary files from the dashboard host by abusing the NoRoute fallbackToFrontend handler. The handler matches the /dashboard prefix with strings.HasPrefix rather than a path-segment comparison, so a request like /dashboard../data/config.yaml is normalized by path.Join into the application's data directory and served by http.ServeFile. No public exploit identified at time of analysis, but the bypass is trivially reproducible from the disclosed root-cause writeup.