JustAppSec
Back to news

OneUptime: synthetic monitor Playwright exposure can lead to probe-side RCE (CVE-2026-30957)

CVE-2026-30957NewsRCEDevSecOpsNode.js

What happened

GitHub Advisory Database lists CVE-2026-30957 as a Critical vulnerability in OneUptime's synthetic monitors feature, enabling remote code execution on the oneuptime-probe server/container by a low-privileged authenticated project user.

The advisory explains the root cause: attacker-controlled Synthetic Monitor code is executed inside Node's vm, but live Playwright browser / page objects are exposed to that untrusted code. The advisory notes this can be exploited without a separate vm sandbox escape by invoking Playwright APIs to spawn an attacker-controlled executable.

The advisory's timeline shows: "Published to the GitHub Advisory Database Mar 10, 2026" (the upstream project advisory is marked as published Mar 8, 2026; the database publication is Mar 10, 2026).

Who is impacted

  • Package: npm @oneuptime/common
  • Affected versions: < 10.0.21
  • Patched version: 10.0.21
  • Exploitation precondition: attacker can obtain ordinary project membership (low privileges) and can create/edit synthetic monitors or monitor tests.
  • Impacted component: probe (server-side RCE), especially where the probe can access internal services, secrets, Kubernetes metadata, database credentials, or other cluster-local trust relationships.

What to do now

  • Upgrade OneUptime to a fixed release (patched in @oneuptime/common 10.0.21).
  • Until upgraded, review and restrict who can create/edit Synthetic Monitor code and who can trigger probe executions.
  • Use the advisory's CVSS vector for triage: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H; weakness listed as CWE-749 (Exposed Dangerous Method or Function).

Additional Information

  • Proof-of-concept in the advisory demonstrates RCE by launching a process via Playwright from within the synthetic monitor script (e.g., calling browser.browserType().launch(...) with an attacker-chosen executablePath and arguments).
  • Advisory/release references include the GitHub Advisory (GHSA-jw8q-gjvg-8w4q) and the OneUptime release tag noted on the page (10.0.21).
Source: GitHub Advisory Database
Published 10 Mar 2026

Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.

Need help?Get in touch.