OneUptime: Password Reset Token Logged at INFO Level

Vulnerability

Description

OneUptime, an open-source monitoring and observability platform, contains a sensitive data exposure vulnerability in its password reset flow. The application logs the complete password reset URL—including the plaintext reset token—at the INFO log level, which is enabled by default in production environments [1][3]. The vulnerable code resides in App/FeatureSet/Identity/API/Authentication.ts at lines 370-371, where logger.info("Reset Password URL: " + tokenVerifyUrl) outputs the full URL [3].

Exploitation

An attacker with access to application logs—such as log aggregation systems, Docker logs, or Kubernetes pod logs—can intercept the reset token. No authentication is required to trigger the password reset request; the attacker only needs to know the target user's email address. The token is logged immediately upon request, allowing the attacker to use it to reset the victim's password and gain full account access [3].

Impact

Successful exploitation leads to complete account takeover of any user whose password reset is triggered. This includes administrative accounts, potentially compromising the entire OneUptime instance. The vulnerability is rated with a CVSS score yet to be provided by NVD, but the advisory classifies it as high severity due to the ease of exploitation and broad impact [1][3].

Mitigation

The issue is fixed in OneUptime version 10.0.24 [1][4]. Users should upgrade immediately. As a workaround, administrators can reduce log verbosity or filter out sensitive URLs from log output, but upgrading is the recommended action. No evidence of active exploitation in the wild has been reported at the time of publication.