Impact
Nezha Monitoring versions 2.0.0 through 2.0.13 allow an attacker who can reach the per‑server endpoints to enumerate private services marked with EnableShowInService: false. The result is that names and timing data for services that are intended to remain hidden are exposed, violating confidentiality. The vulnerability is classified under CWE‑200 (Information Exposure), CWE‑285 (Improper Authorization) and CWE‑863 (Missing Function Level Access Control).
Affected Systems
The affected systems are deployments of the nezhahq:nezha product, specifically from version 2.0.0 up to, but not including, version 2.0.14. Any instance running an affected version and exposing the per‑server API endpoints is susceptible. The product is self‑hosted, so attacks can originate from the same network or from the public internet if the endpoints are reachable.
Risk and Exploitability
The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% shows a very low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog, suggesting no known widespread exploitation. A likely attack vector is direct HTTP requests to the per‑server API endpoints, which can be accessed by users with network connectivity to the Nezha Monitoring instance. If an attacker can obtain or guess service identifiers, enumeration can be performed to gather service names and latency information. Proper authorization controls would prevent this, but the current implementation lacks them for private services.
OpenCVE Enrichment
Github GHSA