cbcvebase.
CVE-2024-56331
published 2024-12-20

CVE-2024-56331: Uptime Kuma is an open source, self-hosted monitoring tool. An **Improper URL Handling Vulnerability** allows an attacker to access sensitive local files on…

PriorityP343medium6.8CVSS 3.1
AVNACLPRLUIRSCCHINAN
EXPLOIT
EPSS
1.79%
75.7th percentile
Uptime Kuma is an open source, self-hosted monitoring tool. An **Improper URL Handling Vulnerability** allows an attacker to access sensitive local files on the server by exploiting the `file:///` protocol. This vulnerability is triggered via the **"real-browser"** request type, which takes a screenshot of the URL provided by the attacker. By supplying local file paths, such as `file:///etc/passwd`, an attacker can read sensitive data from the server. This vulnerability arises because the system does not properly validate or sanitize the user input for the URL field. Specifically: 1. The URL input (``) allows users to input arbitrary file paths, including those using the `file:///` protocol, without server-side validation. 2. The server then uses the user-provided URL to make a request, passing it to a browser instance that performs the "real-browser" request, which takes a screenshot of the content at the given URL. If a local file path is entered (e.g., `file:///etc/passwd`), the browser fetches and captures the file’s content. Since the user input is not validated, an attacker can manipulate the URL to request local files (e.g., `file:///etc/passwd`), and the system will capture a screenshot of the file's content, potentially exposing sensitive data. Any **authenticated user** who can submit a URL in "real-browser" mode is at risk of exposing sensitive data through screenshots of these files. This issue has been addressed in version 1.23.16 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected

4 ranges
VendorProductVersion rangeFixed in
louislamuptime-kuma
louislamuptime-kuma
louislamuptime-kuma>= 1.23.0 < 1.23.161.23.16
louislamuptime-kuma>= 2.0.0-beta.0 < 2.0.0-beta.12.0.0-beta.1

Detection & IOCsextracted from sources · hover to see the quote

urlfile:///etc/passwd
urlview-source:file:///etc/passwd
commandlogin via socketio with {"username": "<user>", "password": "<pass>"} then call "add" with type "real-browser" and url "view-source:file:///etc/passwd"
other/etc/passwd: {'ok': True, 'msg': 'successAdded'
  • Monitor WebSocket (Socket.IO) traffic for 'add' events where the monitor type is 'real-browser' and the URL field contains the 'file://' or 'view-source:file://' protocol prefix, indicating an LFI attempt.
  • Alert on Uptime Kuma monitor creation payloads (Socket.IO 'add' call) containing type='real-browser' combined with a URL starting with 'file://' or 'view-source:file://', which is the exact attack vector for CVE-2024-56331.
  • A successful exploitation response from the server will contain the string "/etc/passwd: {'ok': True, 'msg': 'successAdded'" — use this as a detection signature in WebSocket response logging.
  • Identify exposed Uptime Kuma instances via Shodan using the query http.title:"Uptime Kuma" to enumerate potentially vulnerable targets.
  • ·Exploitation requires authentication — the attacker must first successfully log in via the Socket.IO 'login' event before issuing the malicious 'add' monitor payload.
  • ·The vulnerability is only exploitable when the 'real-browser' monitor type is used; the standard 'http' request type does not trigger the screenshot-based LFI path.
  • ·The exploit PoC requires the python-socketio library to be installed on the attacker's system ('pip install python-socketio'), and connects over WebSocket (ws://) to the target host.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.