Cyber Resilience

CVE-2024-56331

Medium

Published: 20 December 2024

Published
20 December 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 6.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
EPSS Score 0.6575 98.5th percentile
Risk Priority 53 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-56331 is a medium-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 6.8 (Medium).

Operationally, ranked in the top 1.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Uptime Kuma, an open-source self-hosted monitoring tool, contains an improper URL handling vulnerability (CWE-22) that permits access to local server files through the file:/// protocol. The flaw exists in the real-browser request type, which accepts a user-supplied URL, passes it to a browser instance for screenshot capture, and lacks server-side validation or sanitization of the input field. The affected input pattern only enforces an https?:// prefix on the client side, allowing arbitrary file paths to be processed.

An authenticated user with permission to create or edit monitors can exploit the issue by submitting a URL such as file:///etc/passwd in real-browser mode. The browser instance then retrieves and renders the local file, returning its contents in the captured screenshot and thereby disclosing sensitive data. The CVSS 3.1 score of 6.8 reflects network attack vector, low complexity, low-privileged access, and high confidentiality impact with changed scope.

The project security advisory and the patch commit in version 1.23.16 state that the vulnerability is resolved by upgrading to that release; no workarounds are documented. The associated EPSS score has remained flat at 0.6575 with no material increase since disclosure.

EU & UK References

Vulnerability details

Uptime Kuma is an open source, self-hosted monitoring tool. An **Improper URL Handling Vulnerability** allows an attacker to access sensitive local files on the server by exploiting the `file:///` protocol. This vulnerability is triggered via the **"real-browser"** request type, which…

more

takes a screenshot of the URL provided by the attacker. By supplying local file paths, such as `file:///etc/passwd`, an attacker can read sensitive data from the server. This vulnerability arises because the system does not properly validate or sanitize the user input for the URL field. Specifically: 1. The URL input (`<input data-v-5f5c86d7="" id="url" type="url" class="form-control" pattern="https?://.+" required="">`) allows users to input arbitrary file paths, including those using the `file:///` protocol, without server-side validation. 2. The server then uses the user-provided URL to make a request, passing it to a browser instance that performs the "real-browser" request, which takes a screenshot of the content at the given URL. If a local file path is entered (e.g., `file:///etc/passwd`), the browser fetches and captures the file’s content. Since the user input is not validated, an attacker can manipulate the URL to request local files (e.g., `file:///etc/passwd`), and the system will capture a screenshot of the file's content, potentially exposing sensitive data. Any **authenticated user** who can submit a URL in "real-browser" mode is at risk of exposing sensitive data through screenshots of these files. This issue has been addressed in version 1.23.16 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References