Minimum check interval is only enforced on the frontend #368

New issue

Closed

opened 2026-02-28 01:44:09 -05:00 by deekerman · 2 comments

deekerman commented

2026-02-28 01:44:09 -05:00

Owner

Originally created by @lrstanley on GitHub (Oct 9, 2021).

Describe the bug

A user can submit an http request with an extremely low check interval (say... 0.01s), as the limit is only enforced on the frontend side of the service. This can lead to a potential denial-of-service attack by overloading the service, and potentially causing service disruption to the target monitored website.

To Reproduce

Steps to reproduce the behavior: Either submit an http request with the lower value, or use Chrome debugging tools to remove the min="<int>" and type="number" attributes, which will allow you to still lower the value via the UI.

Was able to replicate this on: demo.uptime.kuma.pet.

Expected behavior

The frontend and backend should both enforce this behavior, to prevent unwanted or malicious behavior.

Originally created by @lrstanley on GitHub (Oct 9, 2021). **Describe the bug** A user can submit an http request with an extremely low check interval (say... `0.01s`), as the limit is only enforced on the frontend side of the service. This can lead to a **potential denial-of-service attack** by overloading the service, and potentially causing service disruption to the target monitored website. **To Reproduce** Steps to reproduce the behavior: Either submit an http request with the lower value, or use Chrome debugging tools to remove the `min="<int>"` and `type="number"` attributes, which will allow you to still lower the value via the UI. Was able to replicate this on: demo.uptime.kuma.pet. **Expected behavior** The frontend and backend should both enforce this behavior, to prevent unwanted or malicious behavior.

deekerman

2026-02-28 01:44:09 -05:00

closed this issue
added the
feature-request
label

deekerman commented

2026-02-28 01:44:15 -05:00

Author

Owner

@louislam commented on GitHub (Oct 9, 2021):

Thank you for your report.

Yes, the input validations are frontend only currently. In the current stage, it should not be a big problem, as there is only one user account only. And that's one of reasons why multiple users features (#128) is not implemented yet.

However, it did hurt the demo site though, I just fixed it quickly: github.com/louislam/uptime-kuma@5c89562650

Would be appreciated if you could send the security issue to the email first.
https://github.com/louislam/uptime-kuma/security/policy

@louislam commented on GitHub (Oct 9, 2021): Thank you for your report. Yes, the input validations are frontend only currently. In the current stage, it should not be a big problem, as there is only one user account only. And that's one of reasons why multiple users features (#128) is not implemented yet. However, it did hurt the demo site though, I just fixed it quickly: https://github.com/louislam/uptime-kuma/commit/5c8956265048aee726f236bd83b4988a592242f4 Would be appreciated if you could send the security issue to the email first. https://github.com/louislam/uptime-kuma/security/policy

deekerman commented

2026-02-28 01:44:15 -05:00

Author

Owner

@CommanderStorm commented on GitHub (Jul 26, 2023):

@lrstanley I think this issue is resolved:

Which is checked on the server here:
github.com/louislam/uptime-kuma@6413d4cbdf/server/model/monitor.js (L1455-L1463)

=> Could you close this issue?

@CommanderStorm commented on GitHub (Jul 26, 2023): @lrstanley I think this issue is resolved: ![image](https://github.com/louislam/uptime-kuma/assets/26258709/9b36cf29-7019-40aa-ac59-880940863eba) Which is checked on the server here: https://github.com/louislam/uptime-kuma/blob/6413d4cbdfff4c20d7024548d701d46e91d35659/server/model/monitor.js#L1455-L1463 => Could you close this issue?