CVE Catalog

CVE-2026-53522

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.29%

20th percentile — higher than 20% of all known CVEs

Summary

Nezha Monitoring versions from 1.0.0 to before 2.2.0 have a vulnerability that allows the creation of long-lived WebSocket streams without limits. Two endpoints, POST /api/v1/terminal and POST /api/v1/file, lack user rate limits and server connection caps.

Risk Assessment

The absence of connection limits may lead to server overload, threatening service availability. An attacker could exploit this vulnerability to exhaust server resources.

Recommendation

It is recommended to upgrade to version 2.2.0 or later to mitigate this vulnerability. Additionally, implementing connection limiting mechanisms for users and servers is advisable.

Original NVD description (English source)

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.0.0 to before version 2.2.0, the Nezha dashboard exposes two endpoints that create long-lived WebSocket streams to monitored agents: POST /api/v1/terminal → createTerminal() (terminal.go:27-67) and POST /api/v1/file → createFM() (fm.go:28-67). Both call rpc.NezhaHandlerSingleton.CreateStream(streamId, ...) which inserts a new ioStreamContext into an unbounded map[string]*ioStreamContext (s.ioStreams in io_stream.go:59-67). There is no per-user rate limit, no global semaphore, and no per-server connection cap. This issue has been patched in version 2.2.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS