Primary

Context

Uptime Kuma Regular Expression Denial-of-Service Vulnerability

Vulnerability

Patched

A regular expression denial-of-service (ReDoS) vulnerability has been identified in Uptime Kuma versions through 1.23.0. This issue arises when an administrator creates a notification via the web service. The vulnerability is triggered by a string that causes catastrophic backtracking in the regular expression used to match URL endings, leading to excessive CPU resource consumption.

Impact

Exploitation of this vulnerability causes high CPU usage and application lag, disrupting normal business logic processes.

Reproduction

The vulnerability can be reproduced by sending a notification through the PushDeer or Whapi notification providers with a crafted URL that includes a large number of slashes followed by a non-slash character. This input causes the regular expression to enter a backtracking loop, checking each slash and consuming significant CPU resources.

Remediation

Users can update to Uptime Kuma version 1.23.1 or later, where this vulnerability has been fixed.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

6.2

impact

2.5

exploitability

6.1

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.2

impact

2.5

exploitability

6.1

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Uptime Kuma Regular Expression Denial-of-Service Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Uptime Kuma

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating