UptimeFlare is a serverless uptime monitoring & status page solution, powered by Cloudflare Workers. Prior to commit 377a596, configuration file uptime.config.ts exports both pageConfig (safe for client use) and workerConfig (server-only, contains sensitive data) from the same module. Due to pages/incidents.tsx importing and using workerConfig directly inside client-side component code, the entire workerConfig object was included in the client-side JavaScript bundle served to all visitors.
This issue has been patched via commit 377a596.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
High
Complete data leak
Integrity
None
No data modification
Availability
None
No disruption
CVSS Vector v3.1
Weakness Type (CWE)
References 3
https://github.com/lyc8503/UptimeFlare/commit/377a5963c66ba9a798abebfe8d80378b0…
security-advisories@github.com
https://github.com/lyc8503/UptimeFlare/issues/198
security-advisories@github.com
https://github.com/lyc8503/UptimeFlare/security/advisories/GHSA-36q9-v7p3-vj6v
security-advisories@github.com