CVE-2024-56331
Published: 20 December 2024
Summary
CVE-2024-56331 is a medium-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 6.8 (Medium).
Operationally, ranked in the top 1.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Uptime Kuma, an open-source self-hosted monitoring tool, contains an improper URL handling vulnerability (CWE-22) that permits access to local server files through the file:/// protocol. The flaw exists in the real-browser request type, which accepts a user-supplied URL, passes it to a browser instance for screenshot capture, and lacks server-side validation or sanitization of the input field. The affected input pattern only enforces an https?:// prefix on the client side, allowing arbitrary file paths to be processed.
An authenticated user with permission to create or edit monitors can exploit the issue by submitting a URL such as file:///etc/passwd in real-browser mode. The browser instance then retrieves and renders the local file, returning its contents in the captured screenshot and thereby disclosing sensitive data. The CVSS 3.1 score of 6.8 reflects network attack vector, low complexity, low-privileged access, and high confidentiality impact with changed scope.
The project security advisory and the patch commit in version 1.23.16 state that the vulnerability is resolved by upgrading to that release; no workarounds are documented. The associated EPSS score has remained flat at 0.6575 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-3546
Vulnerability details
Uptime Kuma is an open source, self-hosted monitoring tool. An **Improper URL Handling Vulnerability** allows an attacker to access sensitive local files on the server by exploiting the `file:///` protocol. This vulnerability is triggered via the **"real-browser"** request type, which…
more
takes a screenshot of the URL provided by the attacker. By supplying local file paths, such as `file:///etc/passwd`, an attacker can read sensitive data from the server. This vulnerability arises because the system does not properly validate or sanitize the user input for the URL field. Specifically: 1. The URL input (`<input data-v-5f5c86d7="" id="url" type="url" class="form-control" pattern="https?://.+" required="">`) allows users to input arbitrary file paths, including those using the `file:///` protocol, without server-side validation. 2. The server then uses the user-provided URL to make a request, passing it to a browser instance that performs the "real-browser" request, which takes a screenshot of the content at the given URL. If a local file path is entered (e.g., `file:///etc/passwd`), the browser fetches and captures the file’s content. Since the user input is not validated, an attacker can manipulate the URL to request local files (e.g., `file:///etc/passwd`), and the system will capture a screenshot of the file's content, potentially exposing sensitive data. Any **authenticated user** who can submit a URL in "real-browser" mode is at risk of exposing sensitive data through screenshots of these files. This issue has been addressed in version 1.23.16 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.