umami icon indicating copy to clipboard operation
umami copied to clipboard
Published 2 months ago verified publisher icon umami-software

RCE Confirmed via Umami Dependency (Next.js CVE-2025-66478)

Open ehtishamsajjad opened this issue 1 month ago • 2 comments

Describe the Bug

I am reporting this to confirm that a critical vulnerability in Next.js (CVE-2025-66478) led to a root-level compromise on my server, where Umami was running.

I understand Umami has released a fix, but this report serves to:

  1. Validate the vector: Confirm the RCE was exploitable through Umami's use of the vulnerable Next.js version.
  2. Alert the community: Share the attacker's observed post-exploitation steps, which may help others detect a compromise.

🔎 Attacker Post-Exploitation Activity

After gaining root access, the attacker deployed the following stealthy persistence mechanisms:

  • Cron Jobs
  • Modified Shell Profiles (e.g., .bashrc)
  • Untracked binary "hash" inside the local Umami project

✅ Action & Recommendation

My server was rebuilt completely to ensure integrity.

I recommend users on old versions not only update Umami but also perform a deep integrity check for persistence files if they suspect a past compromise.

Thank you for the prompt update to the Umami codebase.

Database

PostgreSQL

Relevant log output

Which Umami version are you using? (if relevant)

2.19.0

Which browser are you using? (if relevant)

Chrome

How are you deploying your application? (if relevant)

Hetzner

ehtishamsajjad avatar Dec 07 '25 14:12 ehtishamsajjad

Can confirm, happened on one of my servers, too, where Umami was running inside a docker container.

I discovered the following processes inside the umami docker container:

885 nextjs    3h26 /tmp/fghgf -c /tmp/config.json -B

7563 nextjs    0:00 qcxgxgtqh
7564 nextjs    3:11 qcxgxgtqh
7565 nextjs    3:25 qcxgxgtqh
7566 nextjs    0:00 [qcxgxgtqh]
7569 nextjs    2d14 /var/tmp/softirq -o 45.94.31.89:443 -u react -p 3cthDeQ5 --tls --randomx-1gb-pages --opencl --cuda -B

Also, the fghgf seems to span a health check process:

3161046 ?        Ssl  72531:04 /tmp/fghgf -c /tmp/config.json -B
3185135 ?        S      0:50 ash /tmp/health.sh
3201119 ?        S      0:49 ash /tmp/health.sh
3207170 ?        S      0:49 ash /tmp/health.sh

Content of the /tmp dir of the docker container:

/tmp $ ls -la
total 64624
drwxrwxrwt    1 root     root          4096 Dec  7 14:37 .
drwxr-xr-x    1 root     root          4096 Aug 18 09:14 ..
drwx------    2 nextjs   nogroup       4096 Dec  5 18:50 .ksoftirqd-private-f393y1moabubffpqvozboktusmfzqj1k-ksoftirqd-softirq.service-NjSR4
drwxr-xr-x    2 nextjs   nogroup       4096 Dec  5 14:29 .upower.service-utx2xg
-rwxr-xr-x    1 nextjs   nogroup    1505928 Dec  6 00:53 1764982384041_CeRYka5h_streamts
-rwxrwxrwx    1 nextjs   nogroup      50552 Dec  5 15:45 a
-rw-r--r--    1 nextjs   nogroup       7865 Dec  7 14:37 config.json
-rw-r--r--    1 nextjs   nogroup         24 Dec  7 14:20 contact.txt
-rwxr-xr-x    1 nextjs   nogroup       9800 Dec  7 11:34 f62f10ddtcp
-rwxrwxrwx    1 nextjs   nogroup    8334576 Dec  7 14:37 fghgf
-rwxrwxrwx    1 nextjs   nogroup        418 Dec  5 17:06 health.sh
-rwxr-xr-x    1 nextjs   nogroup    8693336 Dec  6 09:13 httprs
-rwxr-xr-x    1 nextjs   nogroup   46421977 Dec  7 11:37 install
-rwxr-xr-x    1 nextjs   nogroup       1336 Dec  7 11:37 install.sh
-rwxr-xr-x    1 nextjs   nogroup        250 Dec  5 17:30 kernelfix2
drwx------    2 nextjs   nogroup       4096 Dec  5 23:02 kodohabOnPhE
drwx------    2 nextjs   nogroup       4096 Dec  5 21:29 kodohanbkoai
drwxr-xr-x    1 root     root          4096 Jul 27 22:25 node-compile-cache
-rwxr-xr-x    1 nextjs   nogroup      98734 Dec  5 19:47 s.sh
-rw-r--r--    1 nextjs   nogroup        193 Dec  5 14:29 sys.sh
drwxr-xr-x    2 nextjs   nogroup       4096 Dec  7 11:37 trufflehog_install
-rwxr-xr-x    1 nextjs   nogroup     978928 Dec  6 01:12 udpapx
drwx------    2 nextjs   nogroup       4096 Dec  5 21:12 xr-realOKldag

I have saved everything from the docker container (/tmp, /var/tmp/ /home/nextjs) for evidence.

amorgner avatar Dec 07 '25 14:12 amorgner

Duplicate of #3839 , was already confirmed back then

And already patched in 3.0.2 (3 days ago) or 2.20.0 (2 days ago)

MichaelBelgium avatar Dec 07 '25 15:12 MichaelBelgium

We recently had an incident where our umami frontend was triggerering popups which would open a gambling site. updated the server and the issue stopped. The popups were also being triggered on the main site that was importing the umami analytics script. Currently digging into the issue

jowo-io avatar Dec 14 '25 10:12 jowo-io

Hi @amorgner I've been hit with the same thing, same filenames but a different IP for the C2 server - hosted on AWS.

It was running in memory and had cleaned up the files under /tmp. I recovered the binary, but not the config.json.

What contents did you find in the files under /tmp? Presuming it was running some kind of crypto mining rig or something?

nospi avatar Dec 15 '25 23:12 nospi