VYPR
← All advisories
Medium severity6.8OSV Advisory· Published Dec 20, 2024· Updated Apr 15, 2026

CVE-2024-56331

CVE-2024-56331

Description

Uptime Kuma is an open source, self-hosted monitoring tool. An Improper URL Handling Vulnerability allows an attacker to access sensitive local files on the server by exploiting the file:/// protocol. This vulnerability is triggered via the "real-browser" request type, which takes a screenshot of the URL provided by the attacker. By supplying local file paths, such as file:///etc/passwd, an attacker can read sensitive data from the server. This vulnerability arises because the system does not properly validate or sanitize the user input for the URL field. Specifically: 1. The URL input (<input data-v-5f5c86d7="" id="url" type="url" class="form-control" pattern="https?://.+" required="">) allows users to input arbitrary file paths, including those using the file:/// protocol, without server-side validation. 2. The server then uses the user-provided URL to make a request, passing it to a browser instance that performs the "real-browser" request, which takes a screenshot of the content at the given URL. If a local file path is entered (e.g., file:///etc/passwd), the browser fetches and captures the file’s content. Since the user input is not validated, an attacker can manipulate the URL to request local files (e.g., file:///etc/passwd), and the system will capture a screenshot of the file's content, potentially exposing sensitive data. Any authenticated user who can submit a URL in "real-browser" mode is at risk of exposing sensitive data through screenshots of these files. This issue has been addressed in version 1.23.16 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
uptime-kumanpm
>= 1.23.0, < 1.23.161.23.16
uptime-kumanpm
>= 2.0.0-beta.0, < 2.0.0-beta.12.0.0-beta.1

Affected products

1

Patches

2
5bb329fa0e8a
https://github.com/louislam/uptime-kumavia osv
commit
6cfae01a0d37

Merge commit from fork

https://github.com/louislam/uptime-kumaLouis LamDec 20, 2024via ghsa
commit
3 files changed · +11 3
  • package.json+1 1 modified
    @@ -24,7 +24,7 @@
         "start-frontend-devcontainer": "cross-env NODE_ENV=development DEVCONTAINER=1 vite --host --config ./config/vite.config.js",
         "start": "npm run start-server",
         "start-server": "node server/server.js",
-        "start-server-dev": "cross-env NODE_ENV=development node server/server.js",
+        "start-server-dev": "cross-env NODE_ENV=development node server/server.js --data-dir=./data/v1/",
         "build": "vite build --config ./config/vite.config.js",
         "test": "node test/prepare-test-server.js && npm run jest-backend",
         "test-with-build": "npm run build && npm test",
  • package-lock.json+2 2 modified
    @@ -1,12 +1,12 @@
 {
     "name": "uptime-kuma",
-    "version": "1.23.14",
+    "version": "1.23.15",
     "lockfileVersion": 3,
     "requires": true,
     "packages": {
         "": {
             "name": "uptime-kuma",
-            "version": "1.23.14",
+            "version": "1.23.15",
             "license": "MIT",
             "dependencies": {
                 "@grpc/grpc-js": "~1.8.22",
  • server/monitor-types/real-browser-monitor-type.js+8 0 modified
    @@ -193,6 +193,14 @@ class RealBrowserMonitorType extends MonitorType {
         const context = await browser.newContext();
         const page = await context.newPage();
 
+        // Prevent Local File Inclusion
+        // Accept only http:// and https://
+        // https://github.com/louislam/uptime-kuma/security/advisories/GHSA-2qgm-m29m-cj2h
+        let url = new URL(monitor.url);
+        if (url.protocol !== "http:" && url.protocol !== "https:") {
+            throw new Error("Invalid url protocol, only http and https are allowed.");
+        }
+
         const res = await page.goto(monitor.url, {
             waitUntil: "networkidle",
             timeout: monitor.interval * 1000 * 0.8,

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.