OneUptime Synthetic Monitors Playwright Code Execution Vulnerability

A remote code execution vulnerability has been identified in OneUptime versions prior to 10.0.20. The issue arises in Synthetic Monitors, where low-privileged project users can submit custom Playwright scripts that are executed on the oneuptime-probe service. This untrusted code runs inside Node's virtual machine and has access to live Playwright objects, such as browser and page. Exploiting this vulnerability allows an attacker to use the Playwright browser object to launch arbitrary executables on the probe host or container, creating a significant security risk.

Impact

Exploitation of this vulnerability allows for remote code execution on the probe host or container.

Reproduction

To reproduce this vulnerability, log in as a user with normal project membership and navigate to 'Monitors -> Create New Monitor'. Select 'Synthetic Monitor' and paste a malicious Playwright script into the 'Playwright Code' section. Choose a browser type and screen size, set the retry count to 0, and click 'Test Monitor'. The injected code will be executed, and the output will be displayed, demonstrating successful exploitation.

Remediation

Users are advised to update to OneUptime version 10.0.20 or later.