Uptime Kuma Server-side Template Injection Vulnerability Allowing Arbitrary File Read

A server-side template injection (SSTI) vulnerability has been identified in Uptime Kuma, an open-source monitoring tool, specifically in versions 1.23.0 prior to 2.2.0. The vulnerability arises because the application's template rendering function allows user-controlled input to be processed without proper sanitization. This flaw can be exploited to read arbitrary files from the server. Although a fix was applied in version 2.2.1, the vulnerability in question bypasses the original mitigation by exploiting unquoted absolute paths, thereby accessing sensitive files like '/etc/passwd'.

Impact

Exploitation of this vulnerability allows authenticated users to read any file on the server, potentially leading to the disclosure of sensitive information.

Reproduction

To reproduce this vulnerability, log into Uptime Kuma and navigate to any monitor. Edit the monitor and set up a Webhook notification. In the 'Request Body' section, select 'Custom Body' and enter a crafted JSON payload that includes a Liquid template tag rendering an unquoted absolute file path, such as '/etc/passwd'. After testing the notification, the webhook will receive the file contents as part of the request.

Remediation

Users can update to Uptime Kuma version 2.2.1, where this vulnerability has been fixed.