CVE-2024-56331
📋 TL;DR
Uptime Kuma has an improper URL handling vulnerability that allows authenticated attackers to read sensitive local files on the server. By exploiting the 'real-browser' request type with file:/// protocol URLs, attackers can capture screenshots of system files like /etc/passwd. This affects all authenticated users who can submit URLs for monitoring.
💻 Affected Systems
- Uptime Kuma
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through reading sensitive configuration files, SSH keys, database credentials, or other critical system files leading to privilege escalation and lateral movement.
Likely Case
Exfiltration of sensitive system files containing passwords, configuration data, or application secrets that could enable further attacks.
If Mitigated
Limited impact with proper network segmentation and minimal sensitive files accessible to the Uptime Kuma process.
🎯 Exploit Status
Exploitation is straightforward - authenticated users simply need to create a monitor with file:/// URLs. The GitHub advisory includes technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.23.16
Vendor Advisory: https://github.com/louislam/uptime-kuma/security/advisories/GHSA-2qgm-m29m-cj2h
Restart Required: Yes
Instructions:
1. Backup your Uptime Kuma data. 2. Stop the Uptime Kuma service. 3. Update to version 1.23.16 using your deployment method (Docker, npm, etc.). 4. Restart the service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Disable real-browser monitoring
allRemove or disable all monitors using the 'real-browser' request type to prevent exploitation
Restrict file system access
linuxRun Uptime Kuma in a container or with minimal file system permissions to limit accessible files
docker run -v uptime-kuma-data:/app/data -p 3001:3001 louislam/uptime-kuma:1
🧯 If You Can't Patch
- Disable or restrict access to the Uptime Kuma web interface to only trusted users
- Implement network segmentation to isolate Uptime Kuma from sensitive systems and files
🔍 How to Verify
Check if Vulnerable:
Check if your Uptime Kuma version is below 1.23.16 and if you have monitors using 'real-browser' request typeCheck Version:
Check the version in the Uptime Kuma web interface settings or run: docker inspect uptime-kuma | grep -i versionVerify Fix Applied:
After updating to 1.23.16, attempt to create a monitor with file:/// URL - it should be rejected or sanitized📡 Detection & Monitoring
Log Indicators:
- Unusual file:/// URLs in monitor creation logs
- Multiple failed screenshot attempts from unusual URLs
Network Indicators:
- Outgoing requests to local file paths from Uptime Kuma server
SIEM Query:
source="uptime-kuma" AND (url="file://*" OR request_type="real-browser")