6.5

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-vffh-c9pq-4crh

EPSS Score

CWE

CWE-36

Published

10/20/2025

Updated

10/20/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-vffh-c9pq-4crh

GHSA-vffh-c9pq-4crh: Uptime Kuma Server-side Template Injection (SSTI) in Notification Templates Allows Arbitrary File Read

Summary

In some Notification types (e.g., Webhook, Telegram), the send() function allows user-controlled renderTemplate input. This leads to a Server-side Template Injection (SSTI) vulnerability that can be exploited to read arbitrary files from the server.

Details

The root cause is how Uptime Kuma renders user-controlled templates via renderTemplate(). The function instantiates a Liquid template engine and parses the template argument without sanitization:

async renderTemplate(template, msg, monitorJSON, heartbeatJSON) {
    const engine = new Liquid();
    const parsedTpl = engine.parse(template);

    // ...
}

In some Notification flows, the send() implementation passes user-editable fields directly into renderTemplate():

// webhook.js
if (notification.webhookContentType === "form-data") {
    const formData = new FormData();
    formData.append("data", JSON.stringify(data));
    config.headers = formData.getHeaders();
    data = formData;
} else if (notification.webhookContentType === "custom") {
    data = await this.renderTemplate(notification.webhookCustomBody, msg, monitorJSON, heartbeatJSON); //<- this line cause SSTI
}

Because notification can be edited by users and is rendered by the Liquid engine without proper sandboxing or a whitelist of allowed operations, an attacker can supply a crafted template that causes the server to read arbitrary files. In particular, Liquid’s template tags (e.g. {% render ... %}) can be abused to include server-side files if the engine is not restricted, resulting in Server-side Template Injection (SSTI) that leaks sensitive file contents.

PoC

Open Uptime Kuma → Notifications → Add or Edit an existing Webhook notification.
Set notification type to Webhook and set Request Body to Custom Body.
Paste the following JSON into the custom request body:

{
  "Title": {% render '/etc/passwd' %}
}

Click test.
Your webhook will receive the file content

Impact

This is a post-authentication Server-side Template Injection (SSTI) vulnerability that allows an authenticated user to perform arbitrary file read on the server.

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-vffh-c9pq-4crh

EPSS Score

CWE

CWE-36

Published

10/20/2025

Updated

10/20/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
uptime-kuma	npm	= 2.0.0-dev.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis:

In progress

WAF Protection Rules

WAF Rule

### Summ*ry In som* Noti*i**tion typ*s (*.*., W***ook, T*l**r*m), t** `s*n*()` *un*tion *llows us*r-*ontroll** r*n**rT*mpl*t* input. T*is l***s to * S*rv*r-si** T*mpl*t* Inj**tion (SSTI) vuln*r**ility t**t **n ** *xploit** to r*** *r*itr*ry *il*s *r

Reasoning

No *n*lysis *v*il**l*

6.5

Basic Information

Concerned about an active attack path?

GHSA-vffh-c9pq-4crh: Uptime Kuma Server-side Template Injection (SSTI) in Notification Templates Allows Arbitrary File Read

Summary

Details

PoC

Impact

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI