CVE-2024-56331: 
JavaScript vulnerability analysis and mitigation

Uptime Kuma, an open source, self-hosted monitoring tool, was found to contain an Improper URL Handling Vulnerability (CVE-2024-56331) that was disclosed on December 20, 2024. The vulnerability allows authenticated attackers to access sensitive local files on the server by exploiting the file:/// protocol through the "real-browser" request type functionality. This security issue has been addressed in version 1.23.16 and 2.0.0-beta.1 (GitHub Advisory).

The vulnerability stems from insufficient validation of user input in the URL field. When using the "real-browser" request type, which takes screenshots of provided URLs, the system fails to properly validate or sanitize URLs containing the file:/// protocol. The browser instance processes these URLs without restriction, allowing access to local system files. The vulnerability has been assigned a CVSS v3.1 score of 6.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N (GitHub Advisory).

The vulnerability enables authenticated attackers to access and potentially exfiltrate sensitive system files through screenshots. Critical files that could be exposed include /etc/passwd (user account information), /etc/shadow (password hashes), application configuration files, and database credentials stored in /app/data/config.json. Any authenticated user with access to the "real-browser" request type functionality could potentially exploit this vulnerability (GitHub Advisory).

The vulnerability has been patched in Uptime Kuma version 1.23.16 and 2.0.0-beta.1. The fix includes implementing proper URL validation to only allow HTTP and HTTPS protocols. Users are strongly advised to upgrade to these or newer versions. There are no known workarounds for this vulnerability (GitHub Advisory, GitHub Commit).