Authenticated users in OneUptime can escape the JavaScript sandbox to execute arbitrary system commands, leading to a complete compromise of the database and cluster credentials.

The system executes custom Playwright/JavaScript code within an insecure Node.js vm module. An authenticated project member can leverage a standard prototype-chain escape to bypass this sandbox, gain access to the underlying Node.js process object, and execute arbitrary system commands (RCE) on the oneuptime-probe container.

The business impact is critical, as the affected container holds environment variables containing database and cluster credentials. Exploitation leads directly to a complete cluster compromise. With a CVSS score of 9.9, the risk involves total loss of data confidentiality, integrity, and availability across the entire monitoring infrastructure.

Immediate Action: Update OneUptime to version 10.0.18 or later to ensure untrusted code is executed in a secure, hardened environment.

Proactive Monitoring: Inspect synthetic monitor configurations for suspicious JavaScript or use of constructor escapes and review container logs for unauthorized shell activity.

Compensating Controls: Implement network segmentation to isolate the oneuptime-probe containers and restrict their access to sensitive internal databases and cluster APIs.

Public Exploit Available: No

Given the potential for complete cluster takeover, this vulnerability must be addressed with extreme urgency. Organizations should upgrade to version 10.0.18 immediately. Until the patch is applied, restrict the ability of users to create or modify synthetic monitors.