A critical code execution vulnerability in ntfy.sh allows unauthenticated remote attackers to compromise the server by exploiting the parseActions function.

The parseActions function incorrectly handles user-supplied data, leading to a vulnerability that allows for arbitrary code execution. This can be triggered by a remote attacker without authentication.

With a CVSS score of 9.8, this flaw represents a significant risk to any infrastructure running ntfy.sh. Exploitation allows an attacker to gain control over the server, potentially leading to unauthorized data access and service disruption.

Immediate Action: Update ntfy.sh to version 2.21 or later.

Proactive Monitoring: Review server logs for suspicious activity and monitor for unexpected outbound network connections from the ntfy service.

Compensating Controls: Implement network-level access controls to limit exposure of the ntfy service to trusted users.

Public Exploit Available: No

The ability for an unauthenticated attacker to execute arbitrary code makes this a top-priority item. Administrators must update the software immediately to protect against potential remote exploitation.