Vulnerability Database

299,030

Total vulnerabilities in the database

Uptime Kuma Server-side Template Injection (SSTI) in Notification Templates Allows Arbitrary File Read

Summary

In some Notification types (e.g., Webhook, Telegram), the send() function allows user-controlled renderTemplate input. This leads to a Server-side Template Injection (SSTI) vulnerability that can be exploited to read arbitrary files from the server.

Details

The root cause is how Uptime Kuma renders user-controlled templates via renderTemplate(). The function instantiates a Liquid template engine and parses the template argument without sanitization:

async renderTemplate(template, msg, monitorJSON, heartbeatJSON) { const engine = new Liquid(); const parsedTpl = engine.parse(template); // ... }

In some Notification flows, the send() implementation passes user-editable fields directly into renderTemplate():

// webhook.js if (notification.webhookContentType === "form-data") { const formData = new FormData(); formData.append("data", JSON.stringify(data)); config.headers = formData.getHeaders(); data = formData; } else if (notification.webhookContentType === "custom") { data = await this.renderTemplate(notification.webhookCustomBody, msg, monitorJSON, heartbeatJSON); //<- this line cause SSTI }

Because notification can be edited by users and is rendered by the Liquid engine without proper sandboxing or a whitelist of allowed operations, an attacker can supply a crafted template that causes the server to read arbitrary files. In particular, Liquid’s template tags (e.g. {% render ... %}) can be abused to include server-side files if the engine is not restricted, resulting in Server-side Template Injection (SSTI) that leaks sensitive file contents.

PoC

  1. Open Uptime Kuma → NotificationsAdd or Edit an existing Webhook notification.
  2. Set notification type to Webhook and set Request Body to Custom Body.
  3. Paste the following JSON into the custom request body:
{ "Title": {% render '/etc/passwd' %} }
  1. Click test.
  2. Your webhook will receive the file content

Impact

This is a post-authentication Server-side Template Injection (SSTI) vulnerability that allows an authenticated user to perform arbitrary file read on the server.

CVSS v3:

  • Severity: Unknown
  • Score:
  • AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWEs:

Software From Fixed in
Node.js icon uptime-kuma 2.0.0-dev.0 2.0.0-dev.0.x