OneUptime’s Synthetic Monitors allow authenticated users to bypass normal execution limits and spawn arbitrary executables on the probe host via exposed Playwright objects.

In OneUptime versions prior to 10.0.20, untrusted Playwright code is executed inside a Node.js vm but is provided with live host Playwright objects. This allows a low-privileged authenticated user to bypass sandbox restrictions by directly calling browser.browserType().launch() to spawn an arbitrary executable on the probe host or container.

This vulnerability carries a CVSS score of 9.9, indicating a near-total threat to the system. An attacker can achieve full remote code execution, allowing them to compromise the probe container, access sensitive environment variables, and potentially move laterally into the wider infrastructure.

Immediate Action: Update OneUptime to version 10.0.20 or later to ensure that Playwright objects are not exposed to the user-controlled execution environment.

Proactive Monitoring: Review synthetic monitor scripts for calls to launch() or other sensitive browser management functions and audit container processes for unauthorized binaries.

Compensating Controls: Restrict the privileges of the container running the oneuptime-probe and implement strict outbound network filtering to prevent command-and-control communication.

Public Exploit Available: No

The ability for low-privileged users to execute arbitrary code on the server is a critical security failure. Administrators must upgrade to version 10.0.20 immediately to mitigate the risk of a full container and potentially cluster-wide compromise.