Mubelotix

Umami is vulnerable - upgrade immediately

https://jlai.lu/post/29883346

Dec 9 at 1:28pmWeb
Show threadnon_burglarDec 9
Link? Did you discover this yourself? There is no actual info here.
Show threadwildbus8979Dec 9
github.com/umami-software/umami/issues/3852
RCE Confirmed via Umami Dependency (Next.js CVE-2025-66478) · Issue #3852 · umami-software/umami

Describe the Bug I am reporting this to confirm that a critical vulnerability in Next.js (CVE-2025-66478) led to a root-level compromise on my server, where Umami was running. I understand Umami ha...

GitHub
Show threadnon_burglarDec 9
Thank you!
Show threadMubelotixDec 9
All recently open issues are about this. I was a victim, but I’m not the first and people on reddit have done better investigations than I have. Look for the name of the process at the top
Show threadnon_burglarDec 9

Thanks.

For severe incidents like this, please post the most appropriate link, in this case github.com/umami-software/umami/issues/3852

Admins in self hosted usually don’t have that much experience with real, active compromise and may panic, let’s help them as much as possible.

What was the vector? Did you have umami exposed publicly?

RCE Confirmed via Umami Dependency (Next.js CVE-2025-66478) · Issue #3852 · umami-software/umami

Describe the Bug I am reporting this to confirm that a critical vulnerability in Next.js (CVE-2025-66478) led to a root-level compromise on my server, where Umami was running. I understand Umami ha...

GitHub
Show threadrayboyDec 9
Wow I’m glad I happened to see this here. Thank you for the post. I was just thinking about putting all my services behind a VPN too, I think I’m going to go ahead and put that at the top of the list…
Show threadGottaHaveFaithDec 9
I don't think a vpn would help here
Show threadGraveyardOrbitDec 9
Exploiting this vulnerability requires access to the service which wouldn’t be possible if it was behind a vpn
Show threadGottaHaveFaithDec 9
Yes I re-read the cve, I thought it was an issue with an npm package with a cryptominer
Show threadEncrypt-KeeperDec 9
Yeah but Umami is an analytics engine power by client side tracking. If it was behind a VPN it would be useless.
Show threadfrongtDec 9
Unless it was the software package itself that was compromised.
Show threadEncrypt-KeeperDec 10
It was not
Show threadEncrypt-KeeperDec 9
I don’t know about “all umami instances being infected” but they were certainly all vulnerable.
Show threadcorsicanguppyDec 9
I see it’s running Ansible. That’s an obvious risk.
Show threadclb92Dec 9

All umami instances have been infected with a persisting crypto miner.

Source for that claim? Because it sounds like you’ve misunderstood something.

Show threadBombasticDec 10

Look inside

React2Shell

Show threadrehydrate5503Dec 11
This could explain why my 4C/8T VPS started hitting 100% CPU usage shortly after boot with like next to nothing else running on it.
Show threadrehydrate5503Dec 17
Yup, umami was the culprit in my case. Quick update and it’s all running smooth again.