OneUptime is vulnerable to remote code execution because it exposes sensitive browser APIs to low-privileged users, allowing them to spawn malicious executables on the server.

This vulnerability occurs because untrusted Synthetic Monitor code is executed while live host-realm Playwright browser and page objects remain exposed. A low-privileged authenticated project user can call Playwright APIs on these objects to cause the probe server to spawn an attacker-controlled executable, achieving server-side remote code execution without needing a sandbox escape.

With a CVSS score of 9.9, this vulnerability allows for the total compromise of the oneuptime-probe server. An attacker can execute arbitrary commands, potentially leading to data exfiltration, service disruption, and lateral movement within the hosting environment. This poses a severe risk to the integrity of the monitoring platform.

Immediate Action: Upgrade OneUptime to version 10.0.21 or later to properly isolate Playwright objects from the user execution environment.

Proactive Monitoring: Monitor for unexpected process creation (e.g., shells or unknown binaries) originating from the oneuptime-probe container.

Compensating Controls: Use container security tools to enforce strict syscall filtering and prevent the spawning of unauthorized sub-processes within the application environment.

Public Exploit Available: No

This vulnerability represents a critical failure in the isolation of user-provided code. It is imperative that administrators apply the update to version 10.0.21 immediately. Organizations should also review the permissions of users allowed to create synthetic monitors.