[Security] Reported via email

deekerman commented

2026-02-28 02:01:42 -05:00

Owner

Originally created by @OmgImAlexis on GitHub (Feb 22, 2022).

⚠️ Please verify that this bug has NOT been raised before.

I checked and didn't find similar issue

🛡️ Security Policy

I agree to have read this project Security Policy

Description

This is to track the issue reported via email. Details can be shared here once the issue has been resolved.

👟 Reproduction steps

See email

👀 Expected behavior

See email

😓 Actual Behavior

See email

🐻 Uptime-Kuma Version

1.11.4

💻 Operating System and Arch

Demo instance

🌐 Browser

Google Chrome

🐋 Docker Version

No response

🟩 NodeJS Version

No response

📝 Relevant log output

No response

Originally created by @OmgImAlexis on GitHub (Feb 22, 2022). ### ⚠️ Please verify that this bug has NOT been raised before. - [X] I checked and didn't find similar issue ### 🛡️ Security Policy - [X] I agree to have read this project [Security Policy](https://github.com/louislam/uptime-kuma/security/policy) ### Description This is to track the issue reported via email. Details can be shared here once the issue has been resolved. ### 👟 Reproduction steps See email ### 👀 Expected behavior See email ### 😓 Actual Behavior See email ### 🐻 Uptime-Kuma Version 1.11.4 ### 💻 Operating System and Arch Demo instance ### 🌐 Browser Google Chrome ### 🐋 Docker Version _No response_ ### 🟩 NodeJS Version _No response_ ### 📝 Relevant log output _No response_

deekerman

2026-02-28 02:01:42 -05:00

closed this issue
added the
bug
label

deekerman commented

2026-02-28 02:01:47 -05:00

Author

Owner

@louislam commented on GitHub (Feb 23, 2022):

Thanks, but currently uptime kuma is a single user application, so it is not a issue currently.

@louislam commented on GitHub (Feb 23, 2022): Thanks, but currently uptime kuma is a single user application, so it is not a issue currently.

deekerman commented

2026-02-28 02:01:48 -05:00

Author

Owner

@OmgImAlexis commented on GitHub (Feb 23, 2022):

Thanks, but currently uptime kuma is a single user application, so it is not a issue currently.

Please reopen this. This IS an issue. I can completely crash the demo instance and even use it to DOS sites. Even as a single user application this is an issue. I find it quite irresponsible to just close this.

@OmgImAlexis commented on GitHub (Feb 23, 2022): > Thanks, but currently uptime kuma is a single user application, so it is not a issue currently. Please reopen this. This IS an issue. I can completely crash the demo instance and even use it to DOS sites. Even as a single user application this is an issue. I find it quite irresponsible to just close this.

deekerman commented

2026-02-28 02:01:48 -05:00

Author

Owner

@OmgImAlexis commented on GitHub (Feb 23, 2022):

Does this mean I can share the problem on here then since you've deemed it not a security risk? I feel users have a right to know so they themselves can decide the risk factor here.

@OmgImAlexis commented on GitHub (Feb 23, 2022): Does this mean I can share the problem on here then since you've deemed it not a security risk? I feel users have a right to know so they themselves can decide the risk factor here.

deekerman commented

2026-02-28 02:01:48 -05:00

Author

Owner

@hogcycle commented on GitHub (Feb 23, 2022):

send it you wont

@hogcycle commented on GitHub (Feb 23, 2022): send it you wont

deekerman commented

2026-02-28 02:01:48 -05:00

Author

Owner

@OmgImAlexis commented on GitHub (Feb 23, 2022):

I also noticed a few other issues, I'll send you an email about those too.

@OmgImAlexis commented on GitHub (Feb 23, 2022): I also noticed a few other issues, I'll send you an email about those too.

deekerman commented

2026-02-28 02:01:48 -05:00

Author

Owner

@louislam commented on GitHub (Feb 26, 2022):

I also noticed a few other issues, I'll send you an email about those too.

Thanks!

@louislam commented on GitHub (Feb 26, 2022): > I also noticed a few other issues, I'll send you an email about those too. Thanks!

deekerman commented

2026-02-28 02:01:48 -05:00

Author

Owner

@OmgImAlexis commented on GitHub (Feb 26, 2022):

Does this mean I can share the problem on here then since you've deemed it not a security risk? I feel users have a right to know so they themselves can decide the risk factor here.

@louislam did you not see this comment? I’ll be releasing the details publicly 90 days after the first email as I feel this should be disclosed to users. I believe a CVE should also be issued for this.

@OmgImAlexis commented on GitHub (Feb 26, 2022): > Does this mean I can share the problem on here then since you've deemed it not a security risk? I feel users have a right to know so they themselves can decide the risk factor here. @louislam did you not see this comment? I’ll be releasing the details publicly 90 days after the first email as I feel this should be disclosed to users. I believe a CVE should also be issued for this.

deekerman commented

2026-02-28 02:01:48 -05:00

Author

Owner

@louislam commented on GitHub (Feb 26, 2022):

Yes, I think there are 3 issues, I agree that 1st and 2nd are security issues, but 3rd should be not.

For console.log issue, I may need some time to figure it out where is it, would be appreciated if you could email me where is it.
For DDOS issue, it should be fixed, but it only hurt my demo site.
github.com/louislam/uptime-kuma@595cd93220
For input validations, I did mention that the input validations are frontend only currently. (https://github.com/louislam/uptime-kuma/issues/625#issuecomment-939344756) Admin account should not share to other users as always.

In my point of view, since this is a single user application, it should not be a problem. I think no one will try to hack themself.

For example, you send the Windows admin account to other users and then he delete some dll files at C:\Windows and crash the Windows. It does hurt the system, but I think it is not a security issue.

However let say Windows is having a bug that let hackers login the admin account without password and delete some dll files, that is a security issue.

Of course, I am not against this. Ultimately, I strongly agree that server side checking should be implemented. But please understand that I maintain this project with my free time only. Implementing this could be a time consuming task.

EDIT: To be cleared, although I said there is no server side input validation, all those endpoints are still required access token in the current implementation in order to make a request, if you found a endpoint that do not require that is a security issue.

@louislam commented on GitHub (Feb 26, 2022): Yes, I think there are 3 issues, I agree that 1st and 2nd are security issues, but 3rd should be not. 1. For console.log issue, I may need some time to figure it out where is it, would be appreciated if you could email me where is it. 2. For DDOS issue, it should be fixed, but it only hurt my demo site. https://github.com/louislam/uptime-kuma/commit/595cd9322080b209d9a7925463c850cae29d2c33 3. For input validations, I did mention that the input validations are frontend only currently. (https://github.com/louislam/uptime-kuma/issues/625#issuecomment-939344756) Admin account should not share to other users as always. In my point of view, since this is a single user application, it should not be a problem. I think no one will try to hack themself. For example, you send the Windows admin account to other users and then he delete some dll files at C:\Windows and crash the Windows. It does hurt the system, but I think it is not a security issue. However let say Windows is having a bug that let hackers login the admin account without password and delete some dll files, that is a security issue. Of course, I am not against this. Ultimately, I strongly agree that server side checking should be implemented. But please understand that I maintain this project with my free time only. Implementing this could be a time consuming task. EDIT: To be cleared, although I said there is no server side input validation, all those endpoints are still required access token in the current implementation in order to make a request, if you found a endpoint that do not require that is a security issue.

deekerman commented

2026-02-28 02:01:48 -05:00

Author

Owner

@OmgImAlexis commented on GitHub (Feb 26, 2022):

This issue should be re-opened as it's not resolved.

This shouldn't need me to email you the location. Search the code...
Wasn't fixed at all. github.com/louislam/uptime-kuma@595cd93220 (r67528328)
Good choice in using Windows as an example here as Windows actually prevents exactly this type of thing.

For example, you send the Windows admin account to other users and then he delete some dll files at C:\Windows and crash the Windows. It does hurt the system, but I think it is not a security issue.

If I leave a windows PC unattended and then someone walks by and tries to delete something in an admin owned directory they're prompted with the UAC. With Uptime kuma if I leave a browser authenticated and walk away this just lets anyone do whatever they want.

I'd also highly suggest you do some research into security. It's not nearly as black and white as you're making it out to be.

@OmgImAlexis commented on GitHub (Feb 26, 2022): This issue should be re-opened as it's not resolved. 1. This shouldn't need me to email you the location. Search the code... 2. Wasn't fixed at all. https://github.com/louislam/uptime-kuma/commit/595cd9322080b209d9a7925463c850cae29d2c33#r67528328 3. Good choice in using Windows as an example here as Windows actually prevents exactly this type of thing. > For example, you send the Windows admin account to other users and then he delete some dll files at C:\Windows and crash the Windows. It does hurt the system, but I think it is not a security issue. If I leave a windows PC unattended and then someone walks by and tries to delete something in an admin owned directory they're prompted with the UAC. With Uptime kuma if I leave a browser authenticated and walk away this just lets anyone do whatever they want. I'd also highly suggest you do some research into security. It's not nearly as black and white as you're making it out to be.

deekerman commented

2026-02-28 02:01:48 -05:00

Author

Owner

@OmgImAlexis commented on GitHub (Feb 26, 2022):

Also this issue should never have been marked as invalid. This is a valid security issue please remove the "invalid" tag and add "security".

@OmgImAlexis commented on GitHub (Feb 26, 2022): Also this issue should never have been marked as invalid. This is a valid security issue please remove the "invalid" tag and add "security".

deekerman commented

2026-02-28 02:01:48 -05:00

Author

Owner

@Hypfer commented on GitHub (Feb 26, 2022):

Would you please kindly stop harrassing this open source maintainer.
Your entitled attitude is frankly unbearable.

Security issues are indeed inportant, however what you're forgetting is that you're not talking to some faceless gigacorp here.
Instead, this is a human being who has decided to donate their time working on something for free to the world.

It is completely unacceptable to boss them around like this.

@Hypfer commented on GitHub (Feb 26, 2022): Would you please kindly stop harrassing this open source maintainer. Your entitled attitude is frankly unbearable. Security issues are indeed inportant, however what you're forgetting is that you're not talking to some faceless gigacorp here. Instead, this is a human being who has decided to donate their time working on something for free to the world. It is completely unacceptable to boss them around like this.

deekerman commented

2026-02-28 02:01:48 -05:00

Author

Owner

@louislam commented on GitHub (Feb 26, 2022):

If I leave a browser authenticated and walk away

Sorry in this case, anyone can steal all your saved passwords in Chrome.
So Chrome is having security issue?

I re-open it for more discussion.

@louislam commented on GitHub (Feb 26, 2022): > If I leave a browser authenticated and walk away Sorry in this case, anyone can steal all your saved passwords in Chrome. So Chrome is having security issue? I re-open it for more discussion.

deekerman commented

2026-02-28 02:01:48 -05:00

Author

Owner

@louislam commented on GitHub (Feb 26, 2022):

Would you please kindly stop harrassing this open source maintainer. Your entitled attitude is frankly unbearable.

Security issues are indeed inportant, however what you're forgetting is that you're not talking to some faceless gigacorp here. Instead, this is a human being who has decided to donate their time working on something for free to the world.

It is completely unacceptable to boss them around like this.

Thank you for understanding!

@louislam commented on GitHub (Feb 26, 2022): > > Would you please kindly stop harrassing this open source maintainer. Your entitled attitude is frankly unbearable. > > Security issues are indeed inportant, however what you're forgetting is that you're not talking to some faceless gigacorp here. Instead, this is a human being who has decided to donate their time working on something for free to the world. > > It is completely unacceptable to boss them around like this. Thank you for understanding!

deekerman commented

2026-02-28 02:01:48 -05:00

Author

Owner

@OmgImAlexis commented on GitHub (Feb 26, 2022):

It is completely unacceptable to boss them around like this.

Not really sure where you got this idea "boss them around like this.".

I never once said they're required todo anything but acting like isn't an issue with 1000s of people use this product isn't the right thing todo.

I even asked nicely.... "please remove"?

@OmgImAlexis commented on GitHub (Feb 26, 2022): > It is completely unacceptable to boss them around like this. Not really sure where you got this idea "boss them around like this.". I never once said they're required todo anything but acting like isn't an issue with 1000s of people use this product isn't the right thing todo. I even **asked** nicely.... "please remove"?

deekerman commented

2026-02-28 02:01:48 -05:00

Author

Owner

@OmgImAlexis commented on GitHub (Feb 26, 2022):

If I leave a browser authenticated and walk away

Sorry in this case, anyone can steal all your saved passwords in Chrome. So Chrome is having security issue?

I re-open it for more discussion.

Yes, this is correct. Chrome even made changes to where they store the passwords on disk to reduce the security risk.

@OmgImAlexis commented on GitHub (Feb 26, 2022): > > If I leave a browser authenticated and walk away > > Sorry in this case, anyone can steal all your saved passwords in Chrome. So Chrome is having security issue? > > I re-open it for more discussion. Yes, this is correct. Chrome even made changes to where they store the passwords on disk to reduce the security risk.

deekerman commented

2026-02-28 02:01:48 -05:00

Author

Owner

@Hypfer commented on GitHub (Feb 26, 2022):

I find it quite irresponsible to just close this.

Also this issue should never have been marked as invalid.

I feel users have a right to know so they themselves can decide the risk factor here.

This issue should be re-opened as it's not resolved.

This shouldn't need me to email you the location. Search the code...

Yes yes. These are all clearly neutral statements showing your support for and your willingness to work with the maintainer.
Definitely no "us vs them" in there.

@louislam did you not see this comment? I’ll be releasing the details publicly 90 days after the first email as I feel this should be disclosed to users. I believe a CVE should also be issued for this.

This is also clearly not in any way threatening the maintainer with public pressure/outcry.

@Hypfer commented on GitHub (Feb 26, 2022): > I find it quite irresponsible to just close this. > Also this issue should never have been marked as invalid. > I feel users have a right to know so they themselves can decide the risk factor here. > This issue should be re-opened as it's not resolved. > This shouldn't need me to email you the location. Search the code... Yes yes. These are all clearly neutral statements showing your support for and your willingness to work with the maintainer. Definitely no "us vs them" in there. > @louislam did you not see this comment? I’ll be releasing the details publicly 90 days after the first email as I feel this should be disclosed to users. I believe a CVE should also be issued for this. This is also clearly not in any way threatening the maintainer with public pressure/outcry.

deekerman commented

2026-02-28 02:01:48 -05:00

Author

Owner

@OmgImAlexis commented on GitHub (Feb 26, 2022):

@louislam did you not see this comment? I’ll be releasing the details publicly 90 days after the first email as I feel this should be disclosed to users. I believe a CVE should also be issued for this.

This is also clearly not in any way pressuring the maintainer.

What in the world are you on about? Have you not heard of responsible disclosure? This is standard practise.

https://en.wikipedia.org/wiki/Coordinated_vulnerability_disclosure

Google Project Zero has a 90-day disclosure deadline which starts after notifying vendors of vulnerability, with details shared in public with the defensive community after 90 days, or sooner if the vendor releases a fix.[6]

@OmgImAlexis commented on GitHub (Feb 26, 2022): > > @louislam did you not see this comment? I’ll be releasing the details publicly 90 days after the first email as I feel this should be disclosed to users. I believe a CVE should also be issued for this. > > This is also clearly not in any way pressuring the maintainer. What in the world are you on about? Have you not heard of responsible disclosure? This is standard practise. https://en.wikipedia.org/wiki/Coordinated_vulnerability_disclosure > [Google Project Zero](https://en.wikipedia.org/wiki/Project_Zero) has a 90-day disclosure deadline which starts after notifying vendors of vulnerability, with details shared in public with the defensive community after 90 days, or sooner if the vendor releases a fix.[[6]](https://en.wikipedia.org/wiki/Coordinated_vulnerability_disclosure#cite_note-6)

deekerman commented

2026-02-28 02:01:49 -05:00

Author

Owner

@Hypfer commented on GitHub (Feb 26, 2022):

Have you not heard of responsible disclure?

If that comment existed in a vacuum then maybe yes it could just be a "btw I will be doing responsible disclosure with what I think is a vuln".
That however is not the case. In context, it was clearly perceived as a hostile threat.

@Hypfer commented on GitHub (Feb 26, 2022): > Have you not heard of responsible disclure? If that comment existed in a vacuum then maybe yes it could just be a "btw I will be doing responsible disclosure with what I think is a vuln". That however is not the case. In context, it was clearly perceived as a hostile threat.

deekerman commented

2026-02-28 02:01:49 -05:00

Author

Owner

@OmgImAlexis commented on GitHub (Feb 26, 2022):

That however is not the case. In context, it was clearly perceived as a hostile threat.

You closed the issue, I asked what was meant to be happening and stated my intention to release a CVE. What part of that is hostile?

@OmgImAlexis commented on GitHub (Feb 26, 2022): > That however is not the case. In context, it was clearly perceived as a hostile threat. You closed the issue, I asked what was meant to be happening and stated my intention to release a CVE. What part of that is hostile?

deekerman commented

2026-02-28 02:01:49 -05:00

Author

Owner

@OmgImAlexis commented on GitHub (Feb 26, 2022):

Look, I opened this as a hope to have the issue fixed. Obviously I should have just ignored it and left the repo alone. Sorry.

@OmgImAlexis commented on GitHub (Feb 26, 2022): Look, I opened this as a hope to have the issue fixed. Obviously I should have just ignored it and left the repo alone. Sorry.

deekerman commented

2026-02-28 02:01:49 -05:00

Author

Owner

@Hypfer commented on GitHub (Feb 26, 2022):

You closed the issue

I did not close this issue. I'm not the even maintainer. I'm just some maintainer tired of seeing this attitude happen on a regular basis.

Obviously I should have just ignored it and left the repo alone.

Obviously you should've actually tried to help solving the problem if you actually care about that and not just want a CVE with your name on it.

This shouldn't need me to email you the location. Search the code...

^ This is not how people work together on solving an issue.

@Hypfer commented on GitHub (Feb 26, 2022): > You closed the issue I did not close this issue. I'm not the even maintainer. I'm just _some_ maintainer tired of seeing this attitude happen on a regular basis. > Obviously I should have just ignored it and left the repo alone. Obviously you should've actually tried to help solving the problem if you actually care about that and not just want a CVE with your name on it. > This shouldn't need me to email you the location. Search the code... ^ This is not how people work together on solving an issue.

deekerman commented

2026-02-28 02:01:49 -05:00

Author

Owner

@OmgImAlexis commented on GitHub (Feb 26, 2022):

I'm not the maintainer. I'm just some maintainer tired of seeing this attitude happen on a regular basis.

You get I'm ALSO a open source maintainer? I get abuse on a daily basis. If someone opened an issue like this(I've had plenty over the years) I would have worked with them not closed it.

if you actually care about that and not just want a CVE with your name on it.

I honestly couldn't give two shits about the CVE number. I DO care about seeing projects like this used by 1000s while there are security issues. 9/10 they're there simply because no one thought to try and break the app. Look at all the things that've been found with libraries just over the last year.

^ This is not how people work together on solving an issue.

Come on... this is just trying to find something to backup your point.
It was 3AM when I was replying to this, maybe I could have been a little nicer but really no one should need to point out where a console.log is. Open your editor CTRL+F "console.log" oh there it is... you know like how I did...

@OmgImAlexis commented on GitHub (Feb 26, 2022): > I'm not the maintainer. I'm just some maintainer tired of seeing this attitude happen on a regular basis. You get I'm **ALSO** a open source maintainer? I get abuse on a daily basis. If someone opened an issue like this(I've had plenty over the years) I would have worked with them not closed it. > if you actually care about that and not just want a CVE with your name on it. I honestly couldn't give two shits about the CVE number. I **DO** care about seeing projects like this used by 1000s while there are security issues. 9/10 they're there simply because no one thought to try and break the app. Look at all the things that've been found with libraries just over the last year. > ^ This is not how people work together on solving an issue. Come on... this is just trying to find something to backup your point. It was 3AM when I was replying to this, maybe I could have been a little nicer but really no one should need to point out where a console.log is. Open your editor CTRL+F "console.log" oh there it is... you know like how I did...

deekerman commented

2026-02-28 02:01:49 -05:00

Author

Owner

@OmgImAlexis commented on GitHub (Feb 26, 2022):

Just to make the point obvious. Someone being blunt and stating facts is not the same as someone being hostile. 9/10 this misinterpreted due to a language or culture difference.

Also I do love the fact you've skimmed over that I emailed this to them in the hopes of avoiding needing to publicly state the issue in the hopes it'd be fixed before public disclosure. But ya know... keep going on how I'm hostile, etc. 🙃

@OmgImAlexis commented on GitHub (Feb 26, 2022): Just to make the point obvious. Someone being blunt and stating facts is not the same as someone being hostile. 9/10 this misinterpreted due to a language or culture difference. Also I do love the fact you've skimmed over that I emailed this to them in the hopes of avoiding needing to publicly state the issue in the hopes it'd be fixed before public disclosure. But ya know... keep going on how I'm hostile, etc. 🙃

deekerman commented

2026-02-28 02:01:49 -05:00

Author

Owner

@louislam commented on GitHub (Feb 26, 2022):

Thank you all, I think everyone here are trying to help the project.

I am definitely not a security expert here. I always just use my sense and experience to develop something.

Discussions and opinions are welcome. If my knowledge is not correct, feel free to correct me. Also pull requests are welcome too.

@louislam commented on GitHub (Feb 26, 2022): Thank you all, I think everyone here are trying to help the project. I am definitely not a security expert here. I always just use my sense and experience to develop something. Discussions and opinions are welcome. If my knowledge is not correct, feel free to correct me. Also pull requests are welcome too.

deekerman commented

2026-02-28 02:01:49 -05:00

Author

Owner

@OmgImAlexis commented on GitHub (Feb 26, 2022):

@louislam in that case am I okay to open some PRs this week to add validation and other security fixes? I haven't had a chance to fully audit this app and only had a few glances at the code.

@OmgImAlexis commented on GitHub (Feb 26, 2022): @louislam in that case am I okay to open some PRs this week to add validation and other security fixes? I haven't had a chance to fully audit this app and only had a few glances at the code.

deekerman commented

2026-02-28 02:01:49 -05:00

Author

Owner

@OmgImAlexis commented on GitHub (Feb 26, 2022):

I am definitely not a security expert here. I always just use my sense and experience to develop something.

Neither am I lol I'm just really good at breaking things.

@OmgImAlexis commented on GitHub (Feb 26, 2022): > I am definitely not a security expert here. I always just use my sense and experience to develop something. Neither am I lol I'm just really good at breaking things.

deekerman commented

2026-02-28 02:01:49 -05:00

Author

Owner

@louislam commented on GitHub (Feb 26, 2022):

@louislam in that case am I okay to open some PRs this week to add validation and other security fixes? I haven't had a chance to fully audit this app and only had a few glances at the code.

I try my best, since I am a bit lazy recently lol. 50+ pull requests are in the queue.

@louislam commented on GitHub (Feb 26, 2022): > @louislam in that case am I okay to open some PRs this week to add validation and other security fixes? I haven't had a chance to fully audit this app and only had a few glances at the code. I try my best, since I am a bit lazy recently lol. 50+ pull requests are in the queue.

deekerman commented

2026-02-28 02:01:49 -05:00

Author

Owner

@OmgImAlexis commented on GitHub (Feb 26, 2022):

In that case would a few small focused PRs be better to open than a single big one?

@OmgImAlexis commented on GitHub (Feb 26, 2022): In that case would a few small focused PRs be better to open than a single big one?

deekerman commented

2026-02-28 02:01:49 -05:00

Author

Owner

@CommanderStorm commented on GitHub (May 23, 2023):

In that case would a few small focused PRs be better to open than a single big one?

Please open PRs that are as small as they need to be to achieve the goal.
I.e. multiple PRs, but each with only one distinct addressed issue.
=> This way they stay reviewable + effective.

@CommanderStorm commented on GitHub (May 23, 2023): > In that case would a few small focused PRs be better to open than a single big one? Please open PRs that are as small as they need to be to achieve the goal. I.e. multiple PRs, but each with only one distinct addressed issue. => This way they stay reviewable + effective.

deekerman commented

2026-02-28 02:01:49 -05:00

Author

Owner

@CommanderStorm commented on GitHub (May 23, 2023):

@OmgImAlexis Can this issue be closed?

@CommanderStorm commented on GitHub (May 23, 2023): @OmgImAlexis Can this issue be closed?

Rows
Columns

[Security] Reported via email #863

⚠️ Please verify that this bug has NOT been raised before.

🛡️ Security Policy

Description

👟 Reproduction steps

👀 Expected behavior

😓 Actual Behavior

🐻 Uptime-Kuma Version

💻 Operating System and Arch

🌐 Browser

🐋 Docker Version

🟩 NodeJS Version

📝 Relevant log output