GHSA-WW5P-J6CJ-6MQQ: GHSA-WW5P-J6CJ-6MQQ: Credential Exposure in Nezha Dashboard DDNS and Notification APIs

GHSA-WW5P-J6CJ-6MQQ: Credential Exposure in Nezha Dashboard DDNS and Notification APIs

Vulnerability ID: GHSA-WW5P-J6CJ-6MQQ
CVSS Score: 5.5
Published: 2026-06-26

GHSA-WW5P-J6CJ-6MQQ is a technical credential exposure vulnerability in Nezha Dashboard prior to version 2.2.5. The vulnerability allows authenticated administrative users or actors possessing scoped read-only Personal Access Tokens (PATs) to exfiltrate plaintext third-party API credentials, secret keys, and webhook authorization headers due to a lack of data redaction during API object serialization.

TL;DR

Nezha Dashboard prior to version 2.2.5 leaks high-privilege third-party integration credentials (such as Cloudflare tokens and webhook authorization headers) in plaintext via the authenticated list endpoints for DDNS and notifications.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-200
• Attack Vector: Network
• CVSS v4 Score: 5.5 (Medium)
• Exploit Status: poc
• Impact: Credential Disclosure
• KEV Status: Not Listed

Affected Systems

• Nezha Dashboard
• Nezha Dashboard: < 2.2.5 (Fixed in: 2.2.5)

Code Analysis

Commit: 39d3980

fix: dynamic dns and notification endpoints exfiltrate credentials in list API

diff --git a/cmd/dashboard/controller/ddns.go b/cmd/dashboard/controller/ddns.go
...

Exploit Details

• GitHub Security Advisory: Advisory documenting proof of concept query flow.

Mitigation Strategies

• Upgrade Nezha Dashboard to version 2.2.5 or higher.
• Restrict administrative web dashboard endpoints (/api/v1/ddns and /api/v1/notification) to trusted network origins using reverse proxies.
• Audit and revoke administrative Personal Access Tokens (PATs) that carry read scopes.
• Rotate all potentially exposed credentials including Cloudflare API tokens, webhook keys, and Telegram bot tokens.

Remediation Steps:

1. Pull the latest Docker image or binary for Nezha Dashboard >= v2.2.5.
2. Restart the container or binary services to apply the updated executable.
3. Navigate to the external services (Cloudflare, Slack, Telegram, etc.) and generate replacement secret keys.
4. Update the configurations within Nezha Dashboard with the newly generated secrets.

References

• Nezha Dashboard Security Advisory (GHSA-ww5p-j6cj-6mqq)
• GitHub Advisory Database: GHSA-WW5P-J6CJ-6MQQ
• Nezha Release v2.2.5

---

Read the full report for GHSA-WW5P-J6CJ-6MQQ on our website for more details including interactive diagrams and full exploit analysis.