OneUptime Custom JavaScript Monitor Sandbox Escape Vulnerability Allowing Full Cluster Compromise

A critical vulnerability exists in OneUptime versions prior to 10.0.0, allowing unsandboxed code execution through the custom JavaScript monitor feature. This issue arises because user-supplied code is executed using Node.js's vm module, which is not a secure method for running untrusted code. The vulnerability enables a well-known sandbox escape technique that provides access to the underlying process. Exploitation is particularly damaging as the probe operates with host networking and includes sensitive cluster credentials in its environment variables. With permission to create monitors granted to the lowest role, ProjectMember, and open registration enabled by default, any anonymous user can compromise the entire cluster within approximately 30 seconds.

Impact

Exploitation of this vulnerability leads to arbitrary code execution on the probe host, allowing an attacker to access all cluster credentials from the environment. With host networking, they can directly connect to PostgreSQL, Redis, and ClickHouse using these credentials, resulting in a full cluster compromise.

Reproduction

To reproduce this vulnerability, register an account on a OneUptime deployment with open registration. Create a project, which automatically assigns the ProjectMember role. Then, navigate to the Monitors section and add a Custom JavaScript Code monitor. Paste a payload that exploits the sandbox escape into the code field and save the monitor. After a short wait for the probe to poll, check the Monitor Logs to see the extracted cluster credentials and the output of the 'id' command from the probe host.

Remediation

Users can update to OneUptime version 10.0.5 or later, where this vulnerability has been fixed.