CVE-2025-55300 Overview
CVE-2025-55300 affects Komari, a lightweight, self-hosted server monitoring tool. Versions prior to 1.0.4-fix1 ship a WebSocket upgrader with origin checking disabled. This configuration exposes authenticated users to Cross-Site WebSocket Hijacking (CSWSH) attacks. Any third-party website can issue WebSocket requests to the terminal endpoint using the victim's browser cookies. Successful exploitation grants remote code execution on the monitored server through the hijacked terminal session. The flaw is categorized under [CWE-79] and is fixed in release 1.0.4-fix1.
Critical Impact
Cross-Site WebSocket Hijacking against the terminal endpoint enables remote code execution on the Komari host when an authenticated administrator visits an attacker-controlled page.
Affected Products
- Komari server monitoring tool versions prior to 1.0.4-fix1
- Self-hosted Komari instances exposing the terminal WebSocket endpoint
- Deployments where administrators authenticate via standard browser session cookies
Discovery Timeline
- 2025-08-18 - CVE-2025-55300 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-55300
Vulnerability Analysis
Komari exposes a WebSocket endpoint that brokers an interactive terminal for authenticated administrators. The server-side upgrader accepts the HTTP Upgrade handshake without validating the Origin header. Browsers attach session cookies automatically when scripts initiate WebSocket connections, regardless of the originating site. An attacker who lures an authenticated user to a malicious page can therefore open a terminal session through the victim's browser. Commands sent over that channel execute on the Komari host with the privileges of the running service, producing remote code execution.
Root Cause
The root cause is a missing origin verification step in the WebSocket upgrade path. Standard Gorilla-style upgraders default to permissive CheckOrigin behavior unless the application provides an explicit allowlist. Komari relied on the default, so the server treats cross-origin handshake requests as legitimate. Combined with cookie-based session authentication, this design fails to bind the WebSocket channel to a trusted origin.
Attack Vector
Exploitation requires a Komari administrator with an active session to visit an attacker-controlled URL. The attacker page contains JavaScript that opens a WebSocket to the Komari terminal endpoint. The browser attaches the victim's authentication cookie to the handshake. Once upgraded, the attacker streams shell commands and receives output. No credentials, prompts, or additional clicks are needed beyond the initial page visit.
No verified public proof-of-concept code is available. Refer to the GitHub Security Advisory GHSA-q355-h244-969h and the GitHub Commit Monitoring Update for technical details on the fix.
Detection Methods for CVE-2025-55300
Indicators of Compromise
- WebSocket Upgrade requests to the Komari terminal endpoint where the Origin header does not match the deployed Komari hostname.
- Terminal sessions originating from referrers or IP addresses that are not associated with administrator activity.
- Unexpected shell command execution, outbound connections, or new processes spawned by the Komari service account.
Detection Strategies
- Inspect reverse proxy or web server access logs for /ws or terminal WebSocket paths and alert on mismatched Origin values.
- Correlate Komari authentication events with terminal session opens to identify sessions initiated without a prior login UI interaction.
- Monitor for child processes of the Komari binary that deviate from documented monitoring behavior.
Monitoring Recommendations
- Forward Komari and reverse proxy logs to a centralized analytics platform with retention sufficient to investigate session abuse.
- Apply egress monitoring to the host running Komari to detect command-and-control traffic following terminal hijack.
- Track Komari version inventory across hosts and alert when any instance reports a version earlier than 1.0.4-fix1.
How to Mitigate CVE-2025-55300
Immediate Actions Required
- Upgrade every Komari deployment to version 1.0.4-fix1 or later without delay.
- Invalidate existing administrator sessions and rotate session secrets after patching.
- Restrict network access to the Komari web interface to trusted administrative networks or VPN ranges.
Patch Information
The vendor fix is delivered in Komari release 1.0.4-fix1. The corrective change is recorded in commit d31d12e59febce100ab0285b93338f09aa5d6cb1, which enforces origin validation in the WebSocket upgrader. Review the GitHub Security Advisory GHSA-q355-h244-969h for upgrade guidance and verification steps.
Workarounds
- Place Komari behind a reverse proxy that rejects WebSocket handshakes when the Origin header does not match the canonical Komari hostname.
- Require administrators to authenticate through a separate identity-aware proxy that enforces same-site session handling.
- Configure session cookies with SameSite=Strict at the proxy layer to block cross-site cookie attachment until the upgrade is applied.
# Example NGINX snippet to reject cross-origin WebSocket handshakes
map $http_origin $komari_origin_ok {
default 0;
"https://komari.example.com" 1;
}
server {
listen 443 ssl;
server_name komari.example.com;
location /ws {
if ($komari_origin_ok = 0) { return 403; }
proxy_pass http://127.0.0.1:25774;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
