CVE-2025-55300 is a high-severity vulnerability affecting versions of the Komari server monitoring tool prior to 1.0.4-fix1. Komari is a lightweight, self-hosted solution designed to monitor server performance. The vulnerability arises from improper input neutralization during web page generation, specifically categorized under CWE-79 (Cross-site Scripting). The root cause is that the WebSocket upgrader component in affected versions disables origin checking, which enables Cross-Site WebSocket Hijacking (CSWSH) attacks. This flaw allows any third-party website to send requests to the terminal WebSocket endpoint of Komari with the victim's browser cookies. Because the WebSocket endpoint trusts these cookies, an attacker can leverage this to execute remote code on the server hosting Komari. The vulnerability does not require authentication or privileges and can be triggered via user interaction (visiting a malicious website). The CVSS 4.0 base score is 8.6 (high), reflecting the network attack vector, low attack complexity, no privileges required, but requiring user interaction. The impact on confidentiality, integrity, and availability is high, as remote code execution can lead to full system compromise. This vulnerability was fixed in version 1.0.4-fix1 by re-enabling origin checking on the WebSocket upgrader, preventing unauthorized cross-origin requests. No known exploits are reported in the wild yet, but the potential impact and ease of exploitation make it a critical patch for users of Komari. Organizations using Komari monitoring tools should urgently upgrade to the fixed version to mitigate this risk.

For European organizations, the impact of CVE-2025-55300 can be significant, especially for those relying on Komari for server monitoring in critical infrastructure, enterprise IT environments, or managed service providers. Successful exploitation allows attackers to execute arbitrary code remotely on monitoring servers, potentially leading to full system compromise, data theft, manipulation of monitoring data, or disruption of monitoring services. This can cascade into broader operational impacts, including undetected server failures, delayed incident response, and exposure of sensitive performance data. Given the network-exploitable nature and the lack of required privileges, attackers can target users through social engineering (e.g., phishing links) to trigger the vulnerability. The high confidentiality, integrity, and availability impacts make it a serious threat to organizations that depend on Komari for real-time server health insights. Additionally, compromised monitoring infrastructure can be used as a pivot point for lateral movement within networks, increasing the risk of widespread breaches.

1. Immediate upgrade of all Komari installations to version 1.0.4-fix1 or later, where the origin checking on the WebSocket upgrader is restored and the vulnerability is fixed. 2. Implement strict Content Security Policy (CSP) headers on web interfaces to limit the ability of malicious sites to execute scripts or initiate WebSocket connections. 3. Restrict network access to Komari’s WebSocket endpoints to trusted IP ranges or VPNs to reduce exposure to external attackers. 4. Monitor WebSocket traffic and logs for unusual or unauthorized connection attempts, especially from unexpected origins. 5. Educate users about the risks of visiting untrusted websites while authenticated to Komari monitoring interfaces. 6. Employ Web Application Firewalls (WAFs) with rules to detect and block suspicious WebSocket upgrade requests lacking proper origin headers. 7. Regularly audit and review server monitoring tools and their configurations to ensure security best practices are followed. These steps go beyond generic patching by adding layered defenses to reduce the attack surface and detect exploitation attempts.