CVE-2025-55300
BaseFortify
Publication date: 2025-08-18
Last updated on: 2025-08-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| komari | komari | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-55300 is a vulnerability in Komari, a server monitoring tool, where the WebSocket upgrader disabled origin checking. This flaw allows any third-party website to send WebSocket requests to the terminal endpoint using the victim's browser cookies, enabling Cross-Site WebSocket Hijacking (CSWSH) attacks. An attacker can execute arbitrary commands remotely on the administrator's nodes by tricking an authenticated user into visiting a malicious website, leading to remote code execution. [1]
How can this vulnerability impact me? :
This vulnerability can lead to remote code execution on your Komari server nodes without your knowledge if an authenticated administrator visits a malicious website. It compromises confidentiality, integrity, and availability of the system by allowing attackers to run arbitrary commands remotely, potentially taking full control of the affected nodes. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect exploitation attempts by monitoring WebSocket connections to the Komari terminal endpoint for suspicious cross-origin requests. Specifically, look for WebSocket upgrade requests to the terminal API endpoint (e.g., /api/terminal) originating from unexpected or third-party origins. Network traffic inspection tools like tcpdump or Wireshark can be used to capture WebSocket handshake requests. For example, you can use the following command to capture WebSocket upgrade requests on port 80 or 443: tcpdump -i any -A 'tcp port 80 or tcp port 443 and (((tcp[13] & 8) != 0))' | grep -i 'upgrade: websocket'. Additionally, inspecting web server logs for WebSocket upgrade requests with suspicious Origin headers can help identify attempts. Since the vulnerability involves Cross-Site WebSocket Hijacking, checking browser developer tools for unexpected WebSocket connections to the Komari terminal endpoint when visiting untrusted sites may also help detect exploitation. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Komari to version 1.0.4-fix1 or later, where the vulnerability is fixed by properly validating the Origin header in WebSocket upgrade requests. If upgrading immediately is not possible, you can implement network-level restrictions to block WebSocket upgrade requests to the terminal endpoint from untrusted origins or external networks. Additionally, educating administrators to avoid visiting untrusted websites while authenticated to Komari can reduce the risk of exploitation. Applying the patch that enforces strict origin checking in the WebSocket upgrader (as detailed in the commit) is the definitive fix. [1, 2]