CVE-2022-31149

Published: Sep 7, 2022Modified: Jun 17, 2026

9.6

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 6.0

Source: NVD

Description

ActivityWatch open-source automated time tracker. Versions prior to 0.12.0b2 are vulnerable to DNS rebinding attacks. This vulnerability impacts everyone running ActivityWatch and gives the attacker full access to the ActivityWatch REST API. Users should upgrade to v0.12.0b2 or later to receive a patch. As a workaround, block DNS lookups that resolve to 127.0.0.1.

Affected (2)

Products: Activitywatch: Activitywatch

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Activitywatch Activitywatch	Before 0.12.0
Activitywatch Activitywatch	Version 0.12.0 beta1

Related CWEs

Authentication Bypass by Spoofing

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

References (6)

https://gist.github.com/zozs/fdebbce75fc8538c15851b46db944a16

Source: security-advisories@github.com

ExploitThird Party Advisory

https://github.com/ActivityWatch/activitywatch/discussions/778

Source: security-advisories@github.com

Release NotesThird Party Advisory

https://github.com/ActivityWatch/activitywatch/security/advisories/GHSA-v9fg-6g9j-h4x4

Source: security-advisories@github.com

Third Party Advisory

https://gist.github.com/zozs/fdebbce75fc8538c15851b46db944a16

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://github.com/ActivityWatch/activitywatch/discussions/778

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesThird Party Advisory

https://github.com/ActivityWatch/activitywatch/security/advisories/GHSA-v9fg-6g9j-h4x4

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.