CVE-2026-53522
Deferred Deferred - Pending Action

Memory Leak in Nezha Monitoring Dashboard

Vulnerability report for CVE-2026-53522, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-12

Last updated on: 2026-06-15

Assigner: GitHub, Inc.

Description

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.0.0 to before version 2.2.0, the Nezha dashboard exposes two endpoints that create long-lived WebSocket streams to monitored agents: POST /api/v1/terminal β†’ createTerminal() (terminal.go:27-67) and POST /api/v1/file β†’ createFM() (fm.go:28-67). Both call rpc.NezhaHandlerSingleton.CreateStream(streamId, ...) which inserts a new ioStreamContext into an unbounded map[string]*ioStreamContext (s.ioStreams in io_stream.go:59-67). There is no per-user rate limit, no global semaphore, and no per-server connection cap. This issue has been patched in version 2.2.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-12
Last Modified
2026-06-15
Generated
2026-07-03
AI Q&A
2026-06-13
EPSS Evaluated
2026-07-02
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
nezha monitoring From 1.0.0 (inc) to 2.2.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability exists in Nezha Monitoring versions from 1.0.0 up to but not including 2.2.0. The Nezha dashboard exposes two endpoints that create long-lived WebSocket streams to monitored agents: POST /api/v1/terminal and POST /api/v1/file. Both endpoints call a function that inserts a new ioStreamContext into an unbounded map without any limits on the number of connections per user, globally, or per server. This lack of rate limiting and connection caps can lead to resource exhaustion.

Impact Analysis

Because there is no limit on the number of WebSocket streams created, an attacker or user could open many connections, potentially exhausting server resources. This can lead to denial of service (DoS) conditions, making the monitoring service unavailable or unstable.

Mitigation Strategies

To mitigate this vulnerability, upgrade Nezha Monitoring to version 2.2.0 or later, where the issue has been patched.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53522. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart