Listen to this Post
How CVE-2026-53522 Works
Nezha Monitoring is a self-hostable, lightweight servers and websites monitoring and O&M tool. From version 1.0.0 to before version 2.2.0, the Nezha dashboard exposes two endpoints that create long-lived WebSocket streams to monitored agents:
– `POST /api/v1/terminal` → `createTerminal()` (terminal.go:27-67)
– `POST /api/v1/file` → `createFM()` (fm.go:28-67)
Both endpoints call rpc.NezhaHandlerSingleton.CreateStream(streamId, ...), which inserts a new `ioStreamContext` into an unbounded `map
ioStreamContext` (<code>s.ioStreams</code> in io_stream.go:59-67). There is no per-user rate limit, no global semaphore, and no per-server connection cap. Each stream allocates: - An `ioStreamContext` struct with several channels and sync primitives - Two goroutines via `StartStream()` (io_stream.go:358-369) — bidirectional `io.CopyBuffer` - A gRPC IOStream between the dashboard and the agent - An agent-side PTY/shell process The `HasPermission` check at terminal.go:41-43 and fm.go:43-45 controls access scope but does not limit creation volume. A user with `ScopeServerExec` (terminal) or `ScopeServerRead+Write+Delete` (file manager) can open unlimited streams. The attack requires only authenticated access with standard scopes — no special privileges. Any team member with terminal access to a server can DoS the entire infrastructure. <h2 style="color: blue;">DailyCVE Form</h2> <h2 style="color: blue;">| Field | Value |</h2> <h2 style="color: blue;">|-|-|</h2> <h2 style="color: blue;">| Platform | Nezha Dashboard |</h2> <h2 style="color: blue;">| Version | 1.0.0 through 2.1.9 |</h2> <h2 style="color: blue;">| Vulnerability | Unbounded WebSocket Stream Creation |</h2> <h2 style="color: blue;">| Severity | Medium (CVSS 6.5) |</h2> <h2 style="color: blue;">| Date | June 12, 2026 |</h2> <h2 style="color: blue;">| Prediction | Patch available in v2.2.0 |</h2> <h2 style="color: blue;">What Undercode Say: Analytics</h2> <h2 style="color: blue;">Affected Endpoints:</h2> [bash] POST /api/v1/terminal → createTerminal() (terminal.go:27-67) POST /api/v1/file → createFM() (fm.go:28-67)
Vulnerable Code Snippet (io_stream.go:55-67):
func (s NezhaHandler) CreateStreamWithPurpose(...) {
s.ioStreamMutex.Lock()
defer s.ioStreamMutex.Unlock()
s.ioStreams[bash] = &ioStreamContext{
creatorUserID: creatorUserID,
targetServerID: targetServerID,
purpose: purpose,
userIoConnectCh: make(chan struct{}),
agentIoConnectCh: make(chan struct{}),
revokedCh: make(chan struct{}),
}
}
StartStream Goroutine Spawning (io_stream.go:319-372):
func (s NezhaHandler) StartStream(streamId string, timeout time.Duration) error {
// ...
go func() {
_, innerErr := io.CopyBuffer(userIo, agentIo, bp.buf)
errCh <- innerErr
}()
go func() {
_, innerErr := io.CopyBuffer(agentIo, userIo, bp.buf)
errCh <- innerErr
}()
return <-errCh
}
Unbounded Map Initialization (nezha.go:36):
s.ioStreams = make(map[bash]ioStreamContext)
Exploit
Conceptual Proof of Concept:
As an authenticated user with a valid JWT or PAT:
for i in {1..1000}; do
curl -X POST "https://dashboard.example.com/api/v1/terminal" \
-H "Authorization: Bearer $JWT" \
-H "Content-Type: application/json" \
-d '{"server_id": 1}' &
done
wait
Attack Resource Targets:
- Dashboard memory/goroutines — each stream adds goroutines, channels, and buffers
- Agent resources — each stream spawns a PTY/shell process on the monitored server
- gRPC connection pool — concurrent IOStreams consume gRPC multiplexing capacity
Alternative Attack Path:
The `POST /file` (createFM) endpoint provides an alternative path with the same unbounded behavior, using `ScopeServerRead+Write+Delete` instead of ScopeServerExec.
Protection
Immediate Remediation:
- Upgrade to version 2.2.0 or later
Layered Rate Limiting and Concurrency Control:
- Per-user stream cap in `CreateStream` — reject if the user already has N active streams (e.g., 10 per user):
func (s NezhaHandler) CreateStreamWithPurpose(...) { s.ioStreamMutex.Lock() defer s.ioStreamMutex.Unlock() count := 0 for _, ctx := range s.ioStreams { if ctx.creatorUserID == creatorUserID { count++ } } if count >= maxStreamsPerUser { return error } // ... existing code ... } - Per-server semaphore — limit concurrent streams to any single server (e.g., 20 per server)
- Rate limiter on `createTerminal` and `createFM` — mirror the existing MCP rate limiter (mcp_ratelimit.go) for legacy WebSocket endpoints
- Add configurable `MaxStreamsPerUser` / `MaxStreamsPerServer` settings so operators can tune limits without code changes
Additional Protective Measures:
- Implement network-level rate limiting
- Monitor connection counts through system metrics
- Configure proper resource allocation limits for the monitoring service
Impact
- Denial of Service against the dashboard: memory exhaustion, goroutine starvation, or gRPC stream table overflow from rapid stream creation
- Denial of Service against monitored agents: each terminal session spawns a PTY process on the agent — an attacker can crash or degrade all agents behind the dashboard
- Operational cascade: if the dashboard OOMs, all agent monitoring and alerting is lost
- PAT connection-registry bypass: rapid create-connect-disconnect cycles may evade cleanup tracking
- CWE Classification: CWE-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling)
- ATT&CK Technique: T1499.004 (Resource Hijacking)
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
