UptimeFlare Worker Configuration Exposure Vulnerability

A vulnerability in UptimeFlare, a serverless uptime monitoring solution using Cloudflare Workers, allows for the unintentional exposure of sensitive worker configuration data to the client side. This issue affects versions released between September 21, 2025, and March 4, 2026. The vulnerability arises because the configuration file 'uptime.config.ts' exports both 'pageConfig' (safe for client use) and 'workerConfig' (which contains sensitive data) from the same module. The 'workerConfig' was directly imported into client-side components, leading to the inclusion of confidential information in the JavaScript bundle served to users. This exposed data could include internal hostnames, IP addresses, authorization headers, notification webhook URLs with embedded secrets, and webhook payload contents.

Impact

The vulnerability allows any user to access sensitive configuration data through the client-side JavaScript bundle, potentially leading to the exposure of internal monitoring details and confidential webhook information.

Reproduction

The vulnerability can be reproduced by importing 'workerConfig' from 'uptime.config.ts' into a client-side component, such as 'pages/incidents.tsx' or 'pages/index.tsx'. This import will include the entire 'workerConfig' object in the client-side JavaScript bundle, which can then be accessed by anyone visiting the site.

Remediation

Users are advised to upgrade to the latest version of UptimeFlare, as the vulnerability has been patched. After upgrading, any exposed credentials should be considered compromised and rotated.