Description
UptimeFlare is a serverless uptime monitoring & status page solution, powered by Cloudflare Workers. Prior to commit 377a596, configuration file uptime.config.ts exports both pageConfig (safe for client use) and workerConfig (server-only, contains sensitive data) from the same module. Due to pages/incidents.tsx importing and using workerConfig directly inside client-side component code, the entire workerConfig object was included in the client-side JavaScript bundle served to all visitors. This issue has been patched via commit 377a596.
Published: 2026-03-07
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Confidentiality Compromise
Action: Apply Patch
AI Analysis

Impact

A serverless uptime monitoring solution exported sensitive worker configuration, including credentials, from the same module that also exported safe page configuration. The worker configuration was imported directly in a client‑side component, causing the entire object to be bundled and served to all visitors. This flaw exposed confidential data to anyone who could load the page, resulting in a direct privacy breach.

Affected Systems

The vendor lyc8503’s UptimeFlare application is affected. All deployments that were built from the codebase before the patch commit 377a596—including any distributed versions that did not separate workerConfig from client‑visible modules—must be considered vulnerable.

Risk and Exploitability

The CVSS score of 7.5 signals a high severity assessment. The EPSS score of less than 1% indicates a very low probability that this vulnerability will be actively exploited at this time, and the vulnerability is not currently tracked by the CISA KEV catalog. The most likely attack vector is simple: a malicious or curious user loads the application and inspects the JavaScript bundle to recover exposed credentials, with no authentication or privileged access required. The harm is limited to confidentiality compromise; it does not currently allow further actions such as code execution or denial of service.

Generated by OpenCVE AI on April 18, 2026 at 09:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the patch provided in commit 377a596 or upgrade to a UptimeFlare release that contains the fix. This removes the workerConfig reference from client‑side code.
  • Configure the build process to exclude server‑only configuration modules from client bundles, ensuring that worker‑specific data never reaches the browser. This can be achieved by adjusting module resolution rules or adding explicit ignore directives in the build tooling.
  • Audit the UptimeFlare code base to ensure that trusted configuration data is only imported into server‑side or Cloudflare Worker code, and never into components that run in the browser.

Generated by OpenCVE AI on April 18, 2026 at 09:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:lyc8503:uptimeflare:*:*:*:*:*:*:*:*

Mon, 09 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Lyc8503
Lyc8503 uptimeflare
Vendors & Products Lyc8503
Lyc8503 uptimeflare

Sat, 07 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Description UptimeFlare is a serverless uptime monitoring & status page solution, powered by Cloudflare Workers. Prior to commit 377a596, configuration file uptime.config.ts exports both pageConfig (safe for client use) and workerConfig (server-only, contains sensitive data) from the same module. Due to pages/incidents.tsx importing and using workerConfig directly inside client-side component code, the entire workerConfig object was included in the client-side JavaScript bundle served to all visitors. This issue has been patched via commit 377a596.
Title UptimeFlare: Montior config / Credentials in `workerConfig` exposed in client-side JavaScript bundle
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Lyc8503 Uptimeflare
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T18:27:06.064Z

Reserved: 2026-03-04T16:26:02.898Z

Link: CVE-2026-29779

cve-icon Vulnrichment

Updated: 2026-03-09T17:43:38.270Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-07T16:15:54.953

Modified: 2026-03-11T22:07:38.207

Link: CVE-2026-29779

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:00:10Z

Weaknesses