DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-4J36-39GM-8VQ8: OneUptime Synthetic Monitor RCE via Sandbox Escape

#security #cve #cybersecurity #ghsa

OneUptime Synthetic Monitor RCE via Sandbox Escape

Vulnerability ID: GHSA-4J36-39GM-8VQ8
CVSS Score: 9.9
Published: 2026-03-07

A critical Remote Code Execution (RCE) vulnerability exists in OneUptime versions prior to 10.0.20, specifically within the oneuptime-probe service. The vulnerability stems from an insecure implementation of a JavaScript sandbox used for Synthetic Monitors, allowing authenticated users with low privileges to execute arbitrary code on the host system. The flaw is caused by the exposure of dangerous host objects to the sandbox context and an incomplete Proxy implementation that fails to trap specific object property accessors, enabling a complete sandbox escape.

TL;DR

Critical RCE in OneUptime allows authenticated users to escape the Synthetic Monitor sandbox and execute arbitrary commands on the probe server. Fixed in version 10.0.20.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-749
  • Attack Vector: Network
  • CVSS Score: 9.9
  • Complexity: Low
  • Privileges Required: Low
  • Exploit Status: PoC Available

Affected Systems

  • OneUptime Probe Service
  • OneUptime Docker Containers
  • Kubernetes Deployments of OneUptime
  • @oneuptime/common: < 10.0.20 (Fixed in: 10.0.20)

Mitigation Strategies

  • Upgrade to OneUptime version 10.0.20 or later immediately.
  • If upgrading is not feasible, disable the Synthetic Monitor feature completely.
  • Restrict permissions for creating or editing monitors to trusted administrators only.
  • Isolate probe containers using strong network policies (e.g., Kubernetes NetworkPolicies) to limit egress traffic.
  • Run probe containers with a read-only root filesystem and non-root user.

Remediation Steps:

  1. Pull the latest Docker image: docker pull oneuptime/oneuptime:10.0.20
  2. Redeploy the oneuptime-probe deployment in your cluster.
  3. Verify the version by checking the application logs or the health check endpoint.
  4. Audit existing Synthetic Monitors for suspicious code patterns matching the PoC (e.g., getOwnPropertyDescriptor, browserType().launch).

References

Read the full report for GHSA-4J36-39GM-8VQ8 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)