CVE-2026-53522
Received Received - Intake
Memory Leak in Nezha Monitoring Dashboard

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description
Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.0.0 to before version 2.2.0, the Nezha dashboard exposes two endpoints that create long-lived WebSocket streams to monitored agents: POST /api/v1/terminal β†’ createTerminal() (terminal.go:27-67) and POST /api/v1/file β†’ createFM() (fm.go:28-67). Both call rpc.NezhaHandlerSingleton.CreateStream(streamId, ...) which inserts a new ioStreamContext into an unbounded map[string]*ioStreamContext (s.ioStreams in io_stream.go:59-67). There is no per-user rate limit, no global semaphore, and no per-server connection cap. This issue has been patched in version 2.2.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-13
AI Q&A
2026-06-13
EPSS Evaluated
N/A
NVD
CVE-2026-53522
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nezha monitoring From 1.0.0 (inc) to 2.2.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in Nezha Monitoring versions from 1.0.0 up to but not including 2.2.0. The Nezha dashboard exposes two endpoints that create long-lived WebSocket streams to monitored agents: POST /api/v1/terminal and POST /api/v1/file. Both endpoints call a function that inserts a new ioStreamContext into an unbounded map without any limits on the number of connections per user, globally, or per server. This lack of rate limiting and connection caps can lead to resource exhaustion.

Impact Analysis

Because there is no limit on the number of WebSocket streams created, an attacker or user could open many connections, potentially exhausting server resources. This can lead to denial of service (DoS) conditions, making the monitoring service unavailable or unstable.

Mitigation Strategies

To mitigate this vulnerability, upgrade Nezha Monitoring to version 2.2.0 or later, where the issue has been patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53522. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart