A critical sandbox escape in OneUptime allows authenticated, low-privileged users to execute arbitrary commands on the underlying host or container by abusing the Synthetic Monitor feature.

The vulnerability involves an incomplete denylist in the VMRunner.runCodeInNodeVM sandbox. A low-privileged authenticated user (ProjectMember) can use a live Playwright page object to traverse to _browserType.launchServer, allowing them to spawn arbitrary processes outside the intended sandbox.

This vulnerability facilitates lateral movement and full container compromise from a low-privileged account. With a CVSS score of 9.9, the impact is severe, potentially leading to the theft of monitoring data, credential harvesting from the host, and disruption of observability services.

Immediate Action: Update OneUptime to version 10.0.35 or higher to apply the corrected sandbox restrictions.

Proactive Monitoring: Audit Synthetic Monitor scripts for any use of internal Playwright properties or attempts to access the browser() or context() methods in ways that deviate from standard monitoring.

Compensating Controls: Implement strict container escape protections, such as AppArmor or SELinux profiles, and ensure the Probe containers run with the least possible privileges on the host.

Public Exploit Available: false

The ability for a low-privileged user to execute code on the infrastructure represents a significant insider threat and lateral movement risk. Application of the 10.0.35 patch is critical to restoring the integrity of the script execution sandbox.