Threat Intelligence Database

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.0.0 to before version 2.2.0, the Nezha dashboard exposes two endpoints that create long-lived WebSocket streams to monitored agents: POST /api/v1/terminal → createTerminal() (terminal.go:27-67) and POST /api/v1/file → createFM() (fm.go:28-67). Both call rpc.NezhaHandlerSingleton.CreateStream(streamId, ...) which inserts a new ioStreamContext into an unbounded map[string]*ioStreamContext (s.ioStreams in io_stream.go:59-67). There is no per-user rate limit, no global semaphore, and no per-server connection cap. This issue has been patched in version 2.2.0.

Nezha Monitoring versions from 2.0.14 up to but not including 2.1.0 contain an authorization vulnerability in the PATCH /server/{id} endpoint. This flaw allows the acceptance and persistence of nonexistent ddns_profiles IDs for a member-owned server. If another user later creates a DDNS profile with one of those IDs, the system uses that profile's configuration in the context of the attacker's server. This issue has been fixed in version 2.1.0.

Nezha Monitoring versions from 2.0.14 up to but not including 2.1.0 contain an improper access control vulnerability. Authenticated users can claim the dashboard Host through NAT and preempt all dashboard routing. This issue has been fixed in version 2.1.0.

Nezha Monitoring versions prior to 2.0.13 contain a path traversal vulnerability in the dashboard's NoRoute handler. The vulnerability arises because the fallbackToFrontend function incorrectly uses a prefix check that allows crafted URLs to escape the intended admin-frontend asset directory and access arbitrary files on the server without authentication. This issue has been fixed in version 2.0.13.

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 2.0.0 to before version 2.0.14, private services (`EnableShowInService: false`) are enumerable via per-server endpoints, leaking name and timing data. This issue has been patched in version 2.0.14.

Nezha Monitoring versions from 0.20.0 up to but not including 2.0.12 contain a missing authorization vulnerability. Authenticated agents can forge monitoring results for services belonging to other users. This issue has been fixed in version 2.0.12.

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.9, any authenticated non-admin member can connect to the server-status WebSocket and receive telemetry for all servers, including servers owned by other users. The normal server list API filters objects by HasPermission, but the WebSocket stream treats the presence of any authenticated user as authorization for the full unfiltered server list. This issue has been patched in version 2.0.9.

Nezha Monitoring versions from 1.4.0 up to but not including 2.0.8 have an authorization vulnerability in their dashboard. The notification API endpoints POST /api/v1/notification and PATCH /api/v1/notification/:id are accessible to RoleMember users due to improper handler assignment. These endpoints synchronously send HTTP requests to user-controlled URLs and reflect the full response body back to the caller on non-2xx responses. This issue was fixed in version 2.0.8.

Nezha Monitoring versions from 1.4.0 up to but not including 2.0.8 contain a critical OS command injection vulnerability. A user with RoleMember privileges can create a scheduled cron task that executes arbitrary commands on all servers globally, including those belonging to other tenants. This allows the attacker to run commands on multiple servers and receive the output via a webhook they control. The vulnerability has been fixed in version 2.0.8.