Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. Prior to 2.2.5, the GET /api/v1/ddns and GET /api/v1/notification endpoints return full resource objects including plaintext third-party API credentials, including Cloudflare API tokens, TencentCloud SecretKeys, Slack, Discord, and Telegram webhook URLs with embedded bot tokens, and Authorization header values, without any field-level redaction. Any authenticated admin or PAT with nezha:ddns:read or nezha:notification:read scope can receive stored credentials through the listDDNS and listNotification handlers in a single API response. This issue is fixed in version 2.2.5.
https://github.com/nezhahq/nezha/security/advisories/GHSA-ww5p-j6cj-6mqq
https://github.com/nezhahq/nezha/releases/tag/v2.2.5
https://github.com/nezhahq/nezha/commit/39d398066d8c644fe452f74704e34ada6c7ab61e
Published: 2026-07-10
Updated: 2026-07-10
Base Score: 4
Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N
Severity: Medium
Base Score: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Severity: Medium
Base Score: 6.9
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Severity: Medium
EPSS: 0.00304