GHSA-vffh-c9pq-4crh: 
JavaScript vulnerability analysis and mitigation

A Server-side Template Injection (SSTI) vulnerability was discovered in Uptime Kuma affecting versions >= 1.23.0 <= 1.23.16 and <= 2.0.0-beta.4. The vulnerability exists in certain Notification types (e.g., Webhook, Telegram) where the send() function allows user-controlled renderTemplate input, potentially enabling arbitrary file read on the server. The issue was published and reviewed on October 20, 2025, and has been assigned the identifier GHSA-vffh-c9pq-4crh with a CVSS score of 6.5 (Moderate severity) (GitHub Advisory).

The vulnerability stems from how Uptime Kuma renders user-controlled templates via renderTemplate(). The function instantiates a Liquid template engine and parses template arguments without proper sanitization. In notification flows, particularly in webhook.js, the send() implementation directly passes user-editable fields to renderTemplate() when webhookContentType is set to custom. The vulnerability is tracked as CWE-36 (Absolute Path Traversal) and CWE-1336 (Improper Neutralization of Special Elements Used in a Template Engine). The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating network attack vector, low attack complexity, low privileges required, and high confidentiality impact (GitHub Advisory).

This post-authentication vulnerability allows authenticated users to perform arbitrary file read operations on the server. The attack can lead to unauthorized access to sensitive file contents through the exploitation of Liquid's template tags, particularly when the template engine is not properly restricted (GitHub Advisory).

The vulnerability has been patched in versions 1.23.17 and 2.0.0. Users are advised to upgrade to these patched versions to mitigate the risk (GitHub Advisory).