OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.35, a low-privileged authenticated user (ProjectMember) can achieve remote command execution on the Probe container/host by abusing Synthetic Monitor Playwright script execution. Synthetic monitor code is executed in VMRunner.runCodeInNodeVM with a live Playwright page object in context. The sandbox relies on a denylist of blocked properties/methods, but it is incomplete. Specifically, _browserType and launchServer are not blocked, so attacker code can traverse `page.context().browser()._browserType.launchServer(...)` and spawn arbitrary processes. Version 10.0.35 contains a patch.
Synthetic Monitor scripts are executed in the VMRunner.runCodeInNodeVM environment with an active Playwright page object available in the context. The protection mechanism relies on a denylist of blocked properties and methods, however this list is incomplete — the `_browserType` property and the `launchServer` method are not blocked. An attacker can traverse the path `page.context().browser()._browserType.launchServer(...)`, which allows execution of arbitrary system processes on the Probe host or container.
An attacker with ProjectMember privileges can execute arbitrary system commands on the Probe container or host, gaining full control over the runtime environment (confidentiality, integrity, and availability of the system are fully compromised).
OneUptime should be updated to version 10.0.35, which contains a patch that eliminates the vulnerability by supplementing the denylist with the `_browserType` property and the `launchServer` method. Patch available in vendor references (commit e8e4ee3ff0740eb131045ab3d67453141c46178a on GitHub).
OneUptime (Hackerbay) in versions prior to 10.0.35
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HHackerbay Oneuptime
APPHackerbay< 10.0.35
Related vulnerabilities
OneUptime: nieautoryzowany dostęp do endpointów powiadomień i zarządzania numerami
Brak uwierzytelnienia w endpointach workflow w OneUptime (RCE)
Brak uwierzytelnienia w API powiadomień OneUptime — obejście autoryzacji
SQL Injection w OneUptime — nieautoryzowany dostęp do bazy i potencjalny RCE
OneUptime: RCE przez niebezpieczny Playwright sandbox w Synthetic Monitors