VYPR
← All advisories
High severityOSV Advisory· Published Aug 18, 2025· Updated Apr 15, 2026

CVE-2025-55300

CVE-2025-55300

Description

Komari is a lightweight, self-hosted server monitoring tool designed to provide a simple and efficient solution for monitoring server performance. Prior to 1.0.4-fix1, WebSocket upgrader has disabled origin checking, enabling Cross-Site WebSocket Hijacking (CSWSH) attacks against authenticated users. Any third party website can send requests to the terminal websocket endpoint with browser's cookies, resulting in remote code execution. This vulnerability is fixed in 1.0.4-fix1.

Affected products

1

Patches

1
d31d12e59feb

Merge commit from fork

https://github.com/komari-monitor/komariAkizonAug 9, 2025via osv
commit
1 file changed · +11 1
  • api/terminal.go+11 1 modified
    @@ -3,6 +3,7 @@ package api
 import (
 	"log"
 	"net/http"
+	"net/url"
 	"time"
 
 	"github.com/gin-gonic/gin"
@@ -31,7 +32,16 @@ func RequestTerminal(c *gin.Context) {
 	}
 	upgrader := websocket.Upgrader{
 		CheckOrigin: func(r *http.Request) bool {
-			return true
+			origin := r.Header.Get("Origin")
+			if origin == "" {
+				return false
+			}
+			host := r.Host
+			originUrl, err := url.Parse(origin)
+			if err != nil {
+				return false
+			}
+			return originUrl.Host == host
 		},
 	}
 	conn, err := upgrader.Upgrade(c.Writer, c.Request, nil)

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.