GHSA-vffh-c9pq-4crh: 
JavaScript vulnerability analysis and mitigation

A Server-side Template Injection (SSTI) vulnerability was discovered in Uptime Kuma (GHSA-vffh-c9pq-4crh), affecting versions >= 1.23.0 <= 1.23.16 and <= 2.0.0-beta.4. The vulnerability was disclosed on October 20, 2025, and allows authenticated users to perform arbitrary file read operations on the server through notification templates. The issue specifically affects certain notification types such as Webhook and Telegram (GitHub Advisory).

The vulnerability stems from the improper handling of user-controlled templates in the renderTemplate() function. The function instantiates a Liquid template engine and parses template arguments without proper sanitization. In notification flows, the send() implementation directly passes user-editable fields into renderTemplate() without adequate security controls. The vulnerability has been assigned a CVSS score of 6.5 (Moderate) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. It is associated with CWE-36 (Absolute Path Traversal) and CWE-1336 (Improper Neutralization of Special Elements Used in a Template Engine) (GitHub Advisory).

This post-authentication vulnerability enables authenticated users to perform arbitrary file read operations on the server, potentially exposing sensitive system files and configurations. The CVSS metrics indicate high impact on confidentiality while integrity and availability remain unaffected (GitHub Advisory).

The vulnerability has been patched in versions 1.23.17 and 2.0.0. Users are advised to upgrade to these patched versions to protect against potential exploitation (GitHub Advisory).