OneUptime Affected by Unsandboxed Code Execution in Probe Allows Any Project Member to Achieve RCE
Description
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.18, OneUptime allows project members to run custom Playwright/JavaScript code via Synthetic Monitors to test websites. However, the system executes this untrusted user code inside the insecure Node.js vm module. By leveraging a standard prototype-chain escape (this.constructor.constructor), an attacker can bypass the sandbox, gain access to the underlying Node.js process object, and execute arbitrary system commands (RCE) on the oneuptime-probe container. Furthermore, because the probe holds database/cluster credentials in its environment variables, this directly leads to a complete cluster compromise. This vulnerability is fixed in 10.0.18.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@oneuptime/commonnpm | < 10.0.18 | 10.0.18 |
Affected products
2- OneUptime/oneuptimev5Range: < 10.0.18
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-h343-gg57-2q67ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-30887ghsaADVISORY
- github.com/OneUptime/oneuptime/security/advisories/GHSA-h343-gg57-2q67ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.