UptimeFlare, Sensitive Data Exposure, CVE-2026-29779 (High)

Listen to this Post

The vulnerability stems from a design flaw in the configuration export within uptime.config.ts. This file exported two objects: `pageConfig` (intended for public, client-side use) and `workerConfig` (containing server-side secrets like monitor credentials and API keys). A client-side component, pages/incidents.tsx, directly imported and utilized the server-only workerConfig. During the build process for the Cloudflare Workers environment, modern bundlers (like Webpack or Vite used with Next.js) analyze import statements. Because `incidents.tsx` imported workerConfig, the bundler determined this module was necessary for the client-side bundle to function. Consequently, the entire `workerConfig` object, including all its sensitive data, was serialized and embedded into the static JavaScript files served to end-users’ browsers. Any visitor to the status page could view the page source or browser developer tools to see the exposed secrets. The issue was patched in commit `377a596` by ensuring that client-side components do not import server-only configuration objects, likely by restructuring the exports or using dynamic imports only on the server-side.

dailycve form:

Platform: UptimeFlare (Cloudflare Workers)
Version: prior commit 377a596
Vulnerability : Sensitive Data Exposure
Severity: High (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
date: 2026-03-07

Prediction: Patched (Commit 377a596)

What Undercode Say:

Analytics:

The vulnerability is a direct result of poor separation between server-side and client-side code in a JavaScript/TypeScript application. It highlights a common misconfiguration in modern frameworks where environment variables or server-only modules are inadvertently exposed. The exploitation is passive; simply visiting the status page leaks the configuration without any user interaction. The CVSS vector indicates a high confidentiality impact with no impact on integrity or availability. The EPSS score, while not explicitly provided in the source, would likely be high due to the passive nature of the exploit and the public availability of the vulnerable code.

Bash Commands and Code Analysis:

Simulate finding exposed secrets in a JavaScript bundle
1. Fetch the client-side JavaScript bundle (example for incidents page)
You would need to identify the correct bundle name from the page source.
curl -s https://vulnerable-uptimeflare.com/_next/static/chunks/pages/incidents-abc123.js | grep -E '(apiKey|secret|password|token|workerConfig)'
2. Use a tool like `grep` to recursively search downloaded bundles if multiple exist.
grep -r "workerConfig" ./downloaded_bundles/
3. Example of what the vulnerable uptime.config.ts might have looked like (pseudo-code)
export const pageConfig = { site "Status Page", theme: "dark" };
export const workerConfig = { // <-- This should not be on client
cfAccountId: "super-secret-id",
cfApiToken: "super-secret-token",
monitors: [{ name: "Google", url: "https://google.com", apiKey: "internal-key" }]
};
4. Example of the vulnerable import in incidents.tsx
import { workerConfig } from '../uptime.config'; // <-- BAD: Forces client-side inclusion
5. Example of patched approach (using dynamic imports or server-side props)
export async function getServerSideProps() { ... fetch workerConfig on server ... return { props: { ... } } }

Exploit:

  1. Navigate to the target UptimeFlare status page, specifically the incidents page (e.g., `https://victim.com/incidents`).

    2. Open browser Developer Tools (F12).

    3. Go to the “Sources” or “Debugger” tab.

  2. Search through the JavaScript files loaded by the page, particularly those with names like `incidents…js` or pages...js.
  3. Use the “Search” feature (Ctrl+Shift+F) within the sources to look for keywords like workerConfig, apiKey, password, secret, token, or the names of the monitoring services.
  4. The entire `workerConfig` object will be visible in plaintext within the code, revealing all configured secrets and monitor details.

    Protection from this CVE:

  5. Immediate Update: Upgrade to the latest version of UptimeFlare that includes commit `377a596` or later.
  6. Code Separation: Strictly separate server-only configuration and logic into files that are never imported by client-side components. Use server-side APIs (e.g., Cloudflare Workers’ `env` bindings, Next.js getServerSideProps, or dedicated API routes) to fetch sensitive data.
  7. Build Process Audit: Regularly audit the generated client-side JavaScript bundles for any accidental inclusion of environment variables or server-side modules. Tools like `next-bundle-analyzer` can help inspect bundle contents.
  8. Environment Variables: Ensure that secrets are stored as environment variables or Cloudflare Workers secrets and are only accessed in server-side contexts, not hardcoded in config files that might be bundled.

Impact:

Successful exploitation leads to the complete disclosure of the UptimeFlare server’s configuration. This includes, but is not limited to, Cloudflare account credentials (API tokens), monitor endpoints, and any authentication keys or tokens used for those monitors. An attacker can use these credentials to gain unauthorized access to the victim’s Cloudflare account, manipulate or disrupt monitoring services, access internal systems being monitored, and pivot to other connected services using the exposed API keys. The confidentiality of the entire monitoring infrastructure is compromised.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top