OneUptime synthetic monitors enable probe-side RCE via Playwright
TL;DR - OneUptime's synthetic monitors expose live Playwright browser and page objects to user code running in a Node vm sandbox. No sandbox escape needed. Just use Playwright to launch an attacker binary.
What happened
OneUptime is the open-source infrastructure monitoring platform; synthetic monitors run automated browser checks against your sites. The new CVE is critical: attacker-controlled JavaScript inside the Node vm sandbox can reach live Playwright browser and page objects. From there, it can call into Playwright APIs and spawn an attacker-controlled executable on the oneuptime-probe host. RCE without escaping vm itself.
A neat illustration of why vm-based sandboxing in Node is not a real security boundary. Even when the sandbox holds, exposed host objects are a direct path to code execution.
Who is impacted
@oneuptime/commonversions< 10.0.21.- Any user with ordinary project membership who can create/edit synthetic monitors.
- Impact: server-side RCE on probe infrastructure, potentially accessing internal services, secrets, Kubernetes metadata, or database credentials.
What to do now
- Follow vendor remediation guidance and apply the latest patched release available at the time of writing.
- Until patched, restrict who can create/edit synthetic monitor code and trigger probe executions.
- Audit probe infrastructure for signs of unauthorized process execution.
Related
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.