Description
Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. Prior to 2.2.5, the GET /api/v1/ddns and GET /api/v1/notification endpoints return full resource objects including plaintext third-party API credentials, including Cloudflare API tokens, TencentCloud SecretKeys, Slack, Discord, and Telegram webhook URLs with embedded bot tokens, and Authorization header values, without any field-level redaction. Any authenticated admin or PAT with nezha:ddns:read or nezha:notification:read scope can receive stored credentials through the listDDNS and listNotification handlers in a single API response. This issue is fixed in version 2.2.5.
Problem types
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Product status
References
github.com/.../nezha/security/advisories/GHSA-ww5p-j6cj-6mqq
github.com/.../nezha/security/advisories/GHSA-ww5p-j6cj-6mqq
github.com/...ommit/39d398066d8c644fe452f74704e34ada6c7ab61e
github.com/nezhahq/nezha/releases/tag/v2.2.5