Description
Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.0.0 to before version 2.2.0, the Nezha dashboard exposes two endpoints that create long-lived WebSocket streams to monitored agents: POST /api/v1/terminal → createTerminal() (terminal.go:27-67) and POST /api/v1/file → createFM() (fm.go:28-67). Both call rpc.NezhaHandlerSingleton.CreateStream(streamId, ...) which inserts a new ioStreamContext into an unbounded map[string]*ioStreamContext (s.ioStreams in io_stream.go:59-67). There is no per-user rate limit, no global semaphore, and no per-server connection cap. This issue has been patched in version 2.2.0.
Published: 2026-06-12
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Nezha Monitoring exposes two WebSocket endpoints that allow creation of long‑lived streams to agents. Each request creates a new stream context stored in an unbounded map without any per‑user or global limits. The absence of rate limiting or a connection cap allows an attacker to overwhelm system memory and CPU by opening many concurrent streams, resulting in degraded performance or application crashes. The weakness corresponds to CWE‑770, which relates to resource exhaustion vulnerabilities.

Affected Systems

Vendors: nezhahq:nezha. Products: Nezha Monitoring Dashboard. Affected versions: all releases from 1.0.0 up to, but not including, 2.2.0. The patch introduced in 2.2.0 removes the unbounded map and implements limits.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. No EPSS score is available, suggesting a low to moderate likelihood of exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit the open WebSocket endpoints over the public network, and with sufficient traffic a single malicious user could exhaust server resources. The lack of built‑in limits makes the exploit trivial once the endpoint is reachable.

Generated by OpenCVE AI on June 12, 2026 at 22:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nezha Monitoring to version 2.2.0 or later to receive the patch that limits or removes unbounded WebSocket streams.
  • Configure network controls or an API gateway to block or throttle access to the /api/v1/terminal and /api/v1/file endpoints, applying per‑user or per‑IP rate limits to prevent abuse.
  • Deploy monitoring for long‑living WebSocket connections and set alerts for abnormal connection counts or memory usage, allowing early detection of attempted resource exhaustion.

Generated by OpenCVE AI on June 12, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.0.0 to before version 2.2.0, the Nezha dashboard exposes two endpoints that create long-lived WebSocket streams to monitored agents: POST /api/v1/terminal → createTerminal() (terminal.go:27-67) and POST /api/v1/file → createFM() (fm.go:28-67). Both call rpc.NezhaHandlerSingleton.CreateStream(streamId, ...) which inserts a new ioStreamContext into an unbounded map[string]*ioStreamContext (s.ioStreams in io_stream.go:59-67). There is no per-user rate limit, no global semaphore, and no per-server connection cap. This issue has been patched in version 2.2.0.
Title Nezha Monitoring: Unbounded WebSocket Streams — Resource Exhaustion DoS
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T21:04:38.357Z

Reserved: 2026-06-09T17:30:33.456Z

Link: CVE-2026-53522

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-12T22:16:52.377

Modified: 2026-06-12T22:16:52.377

Link: CVE-2026-53522

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T22:30:08Z

Weaknesses
  • CWE-770

    Allocation of Resources Without Limits or Throttling