GHSA-hx7h-9vf7-5xhg: 
JavaScript vulnerability analysis and mitigation

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in Uptime Kuma versions >= 1.15.0, <= 1.23.16 and >= 2.0.0-beta.0, < 2.0.0-beta.2. The vulnerability exists in the notification providers (pushdeer and whapi) when administrators create notifications through the web service. The issue was patched in version 2.0.0-beta.2 (GitHub Advisory).

The vulnerability stems from the regular expression /$ used to match zero or more slashes at the end of a URL. When processing a malicious input string containing a large number of trailing slashes followed by a non-slash character, the regular expression engine enters a catastrophic backtracking state. This occurs in the .replace(//$/, "") operation, where the matching process repeatedly backtracks through each slash until reaching the last non-slash character, consuming significant CPU resources (GitHub Advisory).

The vulnerability affects Uptime Kuma users and administrators, particularly those running the application in production environments. When exploited, it can cause significant performance degradation or complete service unavailability due to excessive CPU and memory consumption. Web services and hosting providers running Uptime Kuma could experience downtime and resource exhaustion (GitHub Advisory).

The vulnerability has been patched in version 2.0.0-beta.2. Users are advised to upgrade to this version or later to mitigate the risk. The fix was implemented through a pull request that modified the regular expression matching rules (GitHub PR).