The Unraid Management Agent is a third-party community plugin for Unraid, not an official Unraid product. This plugin provides REST API and WebSocket interfaces for system monitoring and control.
Important: This plugin is designed for trusted local LAN deployment only and should never be exposed to the internet. It is intended for use within your private network, typically for integration with home automation systems like Home Assistant.
We follow a date-based versioning scheme (YYYY.MM.DD format). Security updates are provided for the following versions:
| Version | Supported | Status | Notes |
|---|---|---|---|
| 2025.11.25 | ✅ Yes | Current | Latest release with security fixes |
| 2025.11.24 | Upgrade recommended | Contains known vulnerabilities (CWE-22) | |
| < 2025.11.24 | ❌ No | Unsupported | Immediate upgrade required |
Recommendation: Always use the latest version to ensure you have the most recent security patches and bug fixes.
We take security vulnerabilities seriously and appreciate responsible disclosure. If you discover a security issue, please report it using one of the following methods:
Report security vulnerabilities privately via GitHub Security Advisories:
🔒 https://github.com/ruaan-deysel/unraid-management-agent/security/advisories/new
This allows us to work on a fix before public disclosure, protecting users from potential exploitation.
If you prefer public disclosure or the issue is low severity, you can report via GitHub Issues:
📋 https://github.com/ruaan-deysel/unraid-management-agent/issues
For sensitive security matters, you can contact the maintainer directly:
GitHub: @ruaan-deysel
To help us understand and address the vulnerability quickly, please include:
- Description: Clear description of the vulnerability
- Impact: Potential impact and severity assessment
- Steps to Reproduce: Detailed steps to reproduce the issue
- Proof of Concept: Code, screenshots, or examples demonstrating the vulnerability
- Affected Versions: Which versions are affected
- Suggested Fix: If you have ideas for how to fix it (optional)
When you report a vulnerability, you can expect:
- Initial Response: Within 48-72 hours acknowledging receipt of your report
- Status Updates: Regular updates on our progress investigating and fixing the issue
- Security Patch: Released as soon as possible, typically within 1-2 weeks depending on complexity
- Public Disclosure: Coordinated disclosure after a fix is available
- Triage: We assess the severity and impact of the reported vulnerability
- Investigation: We investigate the issue and develop a fix
- Testing: The fix is thoroughly tested to ensure it resolves the issue without introducing regressions
- Release: A security patch release is published with updated version number
- Disclosure: Security advisory is published with details and credit to the reporter
- Notification: Users are notified via GitHub release notes and plugin changelog
We believe in giving credit where credit is due:
- Accepted Vulnerabilities: Reporters will be credited in the security advisory and release notes (unless they prefer to remain anonymous)
- Hall of Fame: Significant security contributions may be recognized in the project README
To maximize security when using this plugin:
- Never expose to the internet: This plugin is designed for local LAN use only
- Use a firewall: Ensure your Unraid server is behind a firewall
- Keep updated: Always use the latest version of the plugin
- Monitor access: Review who has access to your local network
- Use strong passwords: Secure your Unraid server with strong credentials
- Network segmentation: Consider isolating your Unraid server on a separate VLAN
Fixed 5 CWE-22 Path Traversal Vulnerabilities (High Severity)
- Added comprehensive input validation for file paths in notification controller and config collector
- Implemented defense-in-depth validation strategy with multiple protection layers
- Added 48 security test cases to prevent path traversal attacks
- Blocks parent directory references (
..), absolute paths, and path separators - Prevents attackers from reading or writing arbitrary files on the system
Impact: All users should upgrade immediately to v2025.11.25
- Security vulnerabilities in the plugin code
- Path traversal, injection, and authentication bypass issues
- Information disclosure vulnerabilities
- Denial of service vulnerabilities
- Issues in third-party dependencies (report to the respective projects)
- Issues in Unraid OS itself (report to Lime Technology)
- Social engineering attacks
- Physical access attacks
- Issues requiring internet exposure (plugin is not designed for this)
We follow coordinated disclosure:
- Security issues are fixed privately before public disclosure
- Fixes are released as patch versions
- Security advisories are published after fixes are available
- Users are given time to upgrade before full details are disclosed
- Security Issues: Use GitHub Security Advisories (preferred) or GitHub Issues
- General Questions: GitHub Discussions or Issues
- Maintainer: @ruaan-deysel
- GitHub Repository: https://github.com/ruaan-deysel/unraid-management-agent
- Security Advisories: https://github.com/ruaan-deysel/unraid-management-agent/security/advisories
- Issue Tracker: https://github.com/ruaan-deysel/unraid-management-agent/issues
- Changelog: CHANGELOG.md
Last Updated: 2025-11-18