CVE-2026-53522
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk20th percentile — higher than 20% of all known CVEs
Summary
Nezha Monitoring versions from 1.0.0 to before 2.2.0 have a vulnerability that allows the creation of long-lived WebSocket streams without limits. Two endpoints, POST /api/v1/terminal and POST /api/v1/file, lack user rate limits and server connection caps.
Risk Assessment
The absence of connection limits may lead to server overload, threatening service availability. An attacker could exploit this vulnerability to exhaust server resources.
Recommendation
It is recommended to upgrade to version 2.2.0 or later to mitigate this vulnerability. Additionally, implementing connection limiting mechanisms for users and servers is advisable.
Original NVD description (English source)
Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.0.0 to before version 2.2.0, the Nezha dashboard exposes two endpoints that create long-lived WebSocket streams to monitored agents: POST /api/v1/terminal → createTerminal() (terminal.go:27-67) and POST /api/v1/file → createFM() (fm.go:28-67). Both call rpc.NezhaHandlerSingleton.CreateStream(streamId, ...) which inserts a new ioStreamContext into an unbounded map[string]*ioStreamContext (s.ioStreams in io_stream.go:59-67). There is no per-user rate limit, no global semaphore, and no per-server connection cap. This issue has been patched in version 2.2.0.

