CVE-2024-56331
published 2024-12-20CVE-2024-56331: Uptime Kuma is an open source, self-hosted monitoring tool. An **Improper URL Handling Vulnerability** allows an attacker to access sensitive local files on…
PriorityP343medium6.8CVSS 3.1
AVNACLPRLUIRSCCHINAN
EXPLOIT
EPSS
1.79%
75.7th percentile
Uptime Kuma is an open source, self-hosted monitoring tool. An **Improper URL Handling Vulnerability** allows an attacker to access sensitive local files on the server by exploiting the `file:///` protocol. This vulnerability is triggered via the **"real-browser"** request type, which takes a screenshot of the URL provided by the attacker. By supplying local file paths, such as `file:///etc/passwd`, an attacker can read sensitive data from the server. This vulnerability arises because the system does not properly validate or sanitize the user input for the URL field. Specifically: 1. The URL input (``) allows users to input arbitrary file paths, including those using the `file:///` protocol, without server-side validation. 2. The server then uses the user-provided URL to make a request, passing it to a browser instance that performs the "real-browser" request, which takes a screenshot of the content at the given URL. If a local file path is entered (e.g., `file:///etc/passwd`), the browser fetches and captures the file’s content. Since the user input is not validated, an attacker can manipulate the URL to request local files (e.g., `file:///etc/passwd`), and the system will capture a screenshot of the file's content, potentially exposing sensitive data. Any **authenticated user** who can submit a URL in "real-browser" mode is at risk of exposing sensitive data through screenshots of these files. This issue has been addressed in version 1.23.16 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| louislam | uptime-kuma | — | — |
| louislam | uptime-kuma | — | — |
| louislam | uptime-kuma | >= 1.23.0 < 1.23.16 | 1.23.16 |
| louislam | uptime-kuma | >= 2.0.0-beta.0 < 2.0.0-beta.1 | 2.0.0-beta.1 |
Detection & IOCsextracted from sources · hover to see the quote
urlview-source:file:///etc/passwd
commandlogin via socketio with {"username": "<user>", "password": "<pass>"} then call "add" with type "real-browser" and url "view-source:file:///etc/passwd"
other/etc/passwd: {'ok': True, 'msg': 'successAdded'
- →Monitor WebSocket (Socket.IO) traffic for 'add' events where the monitor type is 'real-browser' and the URL field contains the 'file://' or 'view-source:file://' protocol prefix, indicating an LFI attempt.
- →Alert on Uptime Kuma monitor creation payloads (Socket.IO 'add' call) containing type='real-browser' combined with a URL starting with 'file://' or 'view-source:file://', which is the exact attack vector for CVE-2024-56331.
- →A successful exploitation response from the server will contain the string "/etc/passwd: {'ok': True, 'msg': 'successAdded'" — use this as a detection signature in WebSocket response logging.
- →Identify exposed Uptime Kuma instances via Shodan using the query http.title:"Uptime Kuma" to enumerate potentially vulnerable targets.
- ·Exploitation requires authentication — the attacker must first successfully log in via the Socket.IO 'login' event before issuing the malicious 'add' monitor payload. ↗
- ·The vulnerability is only exploitable when the 'real-browser' monitor type is used; the standard 'http' request type does not trigger the screenshot-based LFI path. ↗
- ·The exploit PoC requires the python-socketio library to be installed on the attacker's system ('pip install python-socketio'), and connects over WebSocket (ws://) to the target host.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
uptime-kuma vulnerable to Local File Inclusion (LFI) via Improper URL Handling in `Real-Browser` monitor
osv·2024-12-20
CVE-2024-56331 [MEDIUM] uptime-kuma vulnerable to Local File Inclusion (LFI) via Improper URL Handling in `Real-Browser` monitor
uptime-kuma vulnerable to Local File Inclusion (LFI) via Improper URL Handling in `Real-Browser` monitor
### Summary
An **Improper URL Handling Vulnerability** allows an attacker to access sensitive local files on the server by exploiting the `file:///` protocol. This vulnerability is triggered via the **"real-browser"** request type, which takes a screenshot of the URL provided by the attacker. By supplying local file paths, such as `file:///etc/passwd`, an attacker can read sensitive data from the server.
### Details
The vulnerability arises because the system does not properly validate or sanitize the user input for the URL field. Specifically:
1. The URL input (``) allows users to input arbitrary file paths, including those using the `file:///` protocol, without server-side validati
GHSA
uptime-kuma vulnerable to Local File Inclusion (LFI) via Improper URL Handling in `Real-Browser` monitor
ghsa·2024-12-20
CVE-2024-56331 [MEDIUM] CWE-22 uptime-kuma vulnerable to Local File Inclusion (LFI) via Improper URL Handling in `Real-Browser` monitor
uptime-kuma vulnerable to Local File Inclusion (LFI) via Improper URL Handling in `Real-Browser` monitor
### Summary
An **Improper URL Handling Vulnerability** allows an attacker to access sensitive local files on the server by exploiting the `file:///` protocol. This vulnerability is triggered via the **"real-browser"** request type, which takes a screenshot of the URL provided by the attacker. By supplying local file paths, such as `file:///etc/passwd`, an attacker can read sensitive data from the server.
### Details
The vulnerability arises because the system does not properly validate or sanitize the user input for the URL field. Specifically:
1. The URL input (``) allows users to input arbitrary file paths, including those using the `file:///` protocol, without server-side validati
No detection rules found.
Nuclei
Uptime-Kuma - Local File Inclusion (LFI)
nuclei·CVSS 6.8
CVE-2024-56331 [MEDIUM] Uptime-Kuma - Local File Inclusion (LFI)
Uptime-Kuma - Local File Inclusion (LFI)
Uptime Kuma has an Improper URL Handling vulnerability that can be exploited through the "real-browser" feature.
By providing a URL using the file:/// protocol (e.g., file:///etc/passwd), an attacker can obtain a screenshot
of local sensitive files, because the user input is not validated by the server.
Template:
id: CVE-2024-56331
info:
name: Uptime-Kuma - Local File Inclusion (LFI)
author: hyni03
severity: critical
description: |
Uptime Kuma has an Improper URL Handling vulnerability that can be exploited through the "real-browser" feature.
By providing a URL using the file:/// protocol (e.g., file:///etc/passwd), an attacker can obtain a screenshot
of local sensitive files, because the user input is not validated by the server.
impact: |
An a
No writeups or analysis indexed.
2024-12-20
Published