OS Command Injection Affecting uptime-kuma package, versions >=2.0.0-dev.0
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-UPTIMEKUMA-6092280
- published 30 Nov 2023
- disclosed 27 Nov 2023
- credit Arnaud PASCAL
How to fix?
A fix was pushed into the master branch but not yet published.
Overview
uptime-kuma is a
Affected versions of this package are vulnerable to OS Command Injection due to improper validation of hostname parameter in the runTailscalePing method. An authenticated user can execute arbitrary command on the server.
Note:
When using Uptime Kuma inside a container, the TailScale Ping type is not visible. We can fake this information by intercepting WebSocket messages and set the isContainer option to false.
Workarounds
The front-end application requires that the field follow a specific pattern, this validation only happens on the front-end and can be removed by removing the attribute pattern on the input element.
There are other command execution in the codebase, they use a method spawn from the child_process module which does not interpret the command as a shell command, the same thing should be done here.
The Tailscale CLI seems to support the
--sequence. It should be used between the ping subcommand and the hostname argument to avoid argument injection.