OneUptime Remote Code Execution Vulnerability via Unsandboxed User-Provided Code

A remote code execution vulnerability has been identified in OneUptime versions prior to 10.0.18. The issue arises because the application allows project members to execute custom Playwright/JavaScript code through Synthetic Monitors, using the insecure Node.js vm module. This untrusted code execution can be exploited by bypassing the sandbox, accessing the Node.js process object, and executing arbitrary system commands on the oneuptime-probe container. The vulnerability is particularly severe as it leads to a complete cluster compromise, given that the probe contains sensitive database and cluster credentials in its environment variables.

Impact

Exploitation of this vulnerability allows for remote code execution on the oneuptime-probe container, with the potential to exfiltrate sensitive environment variables such as database passwords and cluster secrets. This access can be used to compromise the entire OneUptime cluster.

Reproduction

The vulnerability can be reproduced by logging into the OneUptime Dashboard, navigating to the Monitors section, and creating a new Synthetic Monitor. After selecting the appropriate browser and screen settings, the default Playwright template can be replaced with a malicious JavaScript payload designed to escape the vm sandbox and execute commands on the host. Once the monitor is saved, the injected code will be executed by the probe, and any output can be sent to an external server.

Remediation

Users can upgrade to OneUptime version 10.0.18 or later to address this vulnerability.