OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, OneUptime Synthetic Monitors allow a low-privileged authenticated project user to execute arbitrary commands on the oneuptime-probe server/container. The root cause is that untrusted Synthetic Monitor code is executed inside Node's vm while live host-realm Playwright browser and page objects are exposed to it. A malicious user can call Playwright APIs on the injected browser object and cause the probe to spawn an attacker-controlled executable. This is a server-side remote code execution issue. It does not require a separate vm sandbox escape. This vulnerability is fixed in 10.0.21.
The Synthetic Monitors mechanism executes untrusted user code within a Node.js sandbox environment (vm module), however browser objects and Playwright page instances running in the host context are directly exposed to this code. An attacker can invoke Playwright API methods on the injected browser object, causing the probe server to execute an executable file controlled by the attacker. The attack does not require separate vm sandbox escape — it only requires exploitation of available host objects.
An attacker can execute arbitrary system commands on the oneuptime-probe server or container, potentially leading to full compromise of the probe environment, data exfiltration, and further lateral movement within the infrastructure.
OneUptime should be updated to version 10.0.21 or later, where the vulnerability has been fixed. The patch is available in the official GitHub repository: https://github.com/OneUptime/oneuptime/releases/tag/10.0.21
OneUptime (Hackerbay) in all versions before 10.0.21, particularly installations using the Synthetic Monitors functionality.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HHackerbay Oneuptime
APPHackerbay< 10.0.21
Related vulnerabilities
Brak uwierzytelnienia w endpointach workflow w OneUptime (RCE)
Brak uwierzytelnienia w API powiadomień OneUptime — obejście autoryzacji
OneUptime: nieautoryzowany dostęp do endpointów powiadomień i zarządzania numerami
RCE w OneUptime — command injection przez Playwright w Synthetic Monitor
SQL Injection w OneUptime — nieautoryzowany dostęp do bazy i potencjalny RCE