OneUptime Synthetic Monitors Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in OneUptime versions prior to 10.0.21. This issue allows low-privileged authenticated project users to execute arbitrary commands on the oneuptime-probe server or container. The vulnerability arises because untrusted code from Synthetic Monitors is executed in Node's virtual machine, with live Playwright browser and page objects exposed to the code. A malicious user can manipulate these objects to spawn an attacker-controlled executable, exploiting a server-side remote code execution flaw without needing to escape the virtual machine sandbox.

Impact

Exploitation of this vulnerability allows for server-side remote code execution on the oneuptime-probe component, with the potential to access internal services, secrets, and other sensitive information, depending on the deployment environment.

Reproduction

To reproduce this vulnerability, log into the OneUptime dashboard as a regular project member. Navigate to 'Monitors' and create a new 'Synthetic Monitor'. In the Playwright code editor, inject a script that uses the Playwright API to launch a browser type with an executable path pointing to a command, such as 'id', and then execute the monitor. The command output will be returned in the monitor execution details, demonstrating successful exploitation.

Remediation

Users can update to OneUptime version 10.0.21 or later to address this vulnerability.