Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-jg62-j5h6-8mpq | Nezha Monitoring: Unbounded WebSocket Streams — Resource Exhaustion DoS |
Mon, 15 Jun 2026 20:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Sat, 13 Jun 2026 12:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Nezhahq
Nezhahq nezha |
|
| Vendors & Products |
Nezhahq
Nezhahq nezha |
Fri, 12 Jun 2026 21:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.0.0 to before version 2.2.0, the Nezha dashboard exposes two endpoints that create long-lived WebSocket streams to monitored agents: POST /api/v1/terminal → createTerminal() (terminal.go:27-67) and POST /api/v1/file → createFM() (fm.go:28-67). Both call rpc.NezhaHandlerSingleton.CreateStream(streamId, ...) which inserts a new ioStreamContext into an unbounded map[string]*ioStreamContext (s.ioStreams in io_stream.go:59-67). There is no per-user rate limit, no global semaphore, and no per-server connection cap. This issue has been patched in version 2.2.0. | |
| Title | Nezha Monitoring: Unbounded WebSocket Streams — Resource Exhaustion DoS | |
| Weaknesses | CWE-770 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-06-15T19:27:20.840Z
Reserved: 2026-06-09T17:30:33.456Z
Link: CVE-2026-53522
Updated: 2026-06-15T17:03:33.431Z
Status : Deferred
Published: 2026-06-12T22:16:52.377
Modified: 2026-06-15T21:17:25.123
Link: CVE-2026-53522
No data.
OpenCVE Enrichment
Updated: 2026-06-13T12:30:00Z
Github GHSA