CVE-2026-53522
published 2026-06-12CVE-2026-53522: Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.0.0 to before version 2.2.0, the Nezha dashboard…
PriorityP337medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
EPSS
0.29%
20.6th percentile
Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.0.0 to before version 2.2.0, the Nezha dashboard exposes two endpoints that create long-lived WebSocket streams to monitored agents: POST /api/v1/terminal → createTerminal() (terminal.go:27-67) and POST /api/v1/file → createFM() (fm.go:28-67). Both call rpc.NezhaHandlerSingleton.CreateStream(streamId, ...) which inserts a new ioStreamContext into an unbounded map[string]*ioStreamContext (s.ioStreams in io_stream.go:59-67). There is no per-user rate limit, no global semaphore, and no per-server connection cap. This issue has been patched in version 2.2.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | nezhahq_nezha | >= 1.0.0 < 2.2.0 | 2.2.0 |
| nezhahq | nezha | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Nezha Monitoring: Unbounded WebSocket Streams — Resource Exhaustion DoS
ghsa·2026-06-26
CVE-2026-53522 [MEDIUM] CWE-770 Nezha Monitoring: Unbounded WebSocket Streams — Resource Exhaustion DoS
Nezha Monitoring: Unbounded WebSocket Streams — Resource Exhaustion DoS
## 1. Description
The Nezha dashboard exposes two endpoints that create long-lived WebSocket streams to monitored agents:
- `POST /api/v1/terminal` → `createTerminal()` (terminal.go:27-67)
- `POST /api/v1/file` → `createFM()` (fm.go:28-67)
Both call `rpc.NezhaHandlerSingleton.CreateStream(streamId, ...)` which inserts a new `ioStreamContext` into an **unbounded** `map[string]*ioStreamContext` (`s.ioStreams` in `io_stream.go:59-67`). There is **no per-user rate limit, no global semaphore, and no per-server connection cap**. Each stream allocates:
1. A `ioStreamContext` struct with several channels and sync primitives
2. Two goroutines via `StartStream()` (io_stream.go:358-369) — bidirectional `io.CopyBuffer`
3. A g
VulDB
nezhahq nezha up to 2.1.x Dashboard /api/v1/terminal createTerminal allocation of resources (GHSA-jg62-j5h6-8mpq)
vuldb·2026-06-13·CVSS 6.5
CVE-2026-53522 [MEDIUM] nezhahq nezha up to 2.1.x Dashboard /api/v1/terminal createTerminal allocation of resources (GHSA-jg62-j5h6-8mpq)
A vulnerability, which was classified as problematic, has been found in nezhahq nezha up to 2.1.x. This affects the function createTerminal of the file /api/v1/terminal of the component Dashboard. The manipulation leads to allocation of resources.
This vulnerability is listed as CVE-2026-53522. The attack may be initiated remotely. There is no available exploit.
It is advisable to upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-12
Published