CVE-2025-55300

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-55300

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-55300.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-55300

Aliases

Published

2025-08-18T17:41:37.372Z

Modified

2025-12-05T10:20:14.909475Z

Severity

8.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

Komari Allows Cross-site WebSocket Hijacking

Details

Komari is a lightweight, self-hosted server monitoring tool designed to provide a simple and efficient solution for monitoring server performance. Prior to 1.0.4-fix1, WebSocket upgrader has disabled origin checking, enabling Cross-Site WebSocket Hijacking (CSWSH) attacks against authenticated users. Any third party website can send requests to the terminal websocket endpoint with browser's cookies, resulting in remote code execution. This vulnerability is fixed in 1.0.4-fix1.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/55xxx/CVE-2025-55300.json"
}

References

Affected packages

Git / github.com/komari-monitor/komari

Affected ranges

Type: GIT
Repo: https://github.com/komari-monitor/komari
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

d31d12e59febce100ab0285b93338f09aa5d6cb1

Affected versions

0.*

0.0.3

0.0.4

0.0.5

0.0.5a

0.0.6

0.0.7

0.0.8

0.0.9

0.1.0

0.1.0-fix1

0.1.0-pre2

0.1.0-pre3

0.1.0-prerelease

0.1.1

0.1.2

0.1.2-fix1

0.1.2-fix2

0.1.2-fix3

0.1.3

0.1.4

0.1.5

0.1.5-fix1

0.1.5-pre1

0.1.6

0.1.6-fix1

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.3-fix1

1.0.4