CVE-2026-30957: Remote Code Execution via Insecure Sandbox Exposure in OneUptime

OneUptime is an open-source observability platform that utilizes a component known as the Synthetic Monitor to test and validate the availability of online services. This monitor operates by executing user-provided JavaScript and Playwright code within an isolated execution environment. The execution occurs on a dedicated service component, typically deployed as the oneuptime-probe container, which relies on the Node.js vm module to sandbox the external code.

The vulnerability, tracked as CVE-2026-30957, exposes a critical flaw in how this sandbox environment is constructed. The application architecture explicitly injects active, host-realm objects into the virtual machine context. This design pattern falls under CWE-749: Exposed Dangerous Method or Function, as it provides the untrusted execution context direct access to underlying framework capabilities without adequate sanitization or restriction.

Authenticated project members can abuse this architectural flaw to bypass the intended security boundaries of the Node.js virtual machine. By leveraging the specific capabilities of the injected Playwright objects, attackers can force the host system to spawn new, attacker-controlled processes. This results in arbitrary command execution on the oneuptime-probe container.

The vendor addressed this vulnerability in version 10.0.21. The remediation strategy involved removing the insecure object from the injected context and implementing a strict blocklist for specific API methods known to interact with the host operating system's process management functions.

The Node.js vm module provides a mechanism for compiling and running code within V8 Virtual Machine contexts. It is a documented limitation of the vm module that it is not a comprehensive security mechanism for untrusted code execution. Security relies entirely on the host application strictly controlling which objects and functions are injected into the VM's global context.

In the OneUptime oneuptime-probe implementation, a utility class named VMRunner manages the execution of Synthetic Monitor scripts. To allow these scripts to interact with web services, the application injected live Playwright browser and page objects directly into the VM. The developers attempted to secure these objects by wrapping them in a JavaScript Proxy. This Proxy was designed to intercept and block access to internal prototype properties such as __proto__, prototype, and constructor, thereby preventing standard JavaScript prototype pollution and sandbox escape techniques.

However, this defense mechanism failed to account for the inherent, legitimate functionality of the Playwright API itself. The Proxy successfully blocked access to internal V8 engine properties but permitted standard method invocations to pass through to the underlying host-realm Playwright instances. This allowed the sandboxed code to utilize the full documented API of the Playwright framework.

The critical failure point exists within the Playwright Browser class API. The injected browser object exposes a browserType() method, which returns the underlying BrowserType instance (e.g., Chromium or WebKit) operating on the host. This BrowserType instance contains a launch() method designed to spawn new browser processes. The launch() method accepts an executablePath parameter, which instructs the framework to execute a specific binary on the file system. Because this method operates in the host realm, an attacker can specify arbitrary system binaries (such as /bin/sh) instead of a legitimate browser, forcing the Node.js process to spawn a system shell.

The vulnerability originated in the Probe/Utils/Monitors/MonitorTypes/SyntheticMonitor.ts file. During the preparation of the VM context, the application explicitly included the browserSession.browser object in the options passed to the VMRunner.runCodeInNodeVM execution function.

// Vulnerable Code Path (Pre-10.0.21)
result = await VMRunner.runCodeInNodeVM({
  code: options.script,
  options: {
    context: {
      browser: browserSession.browser, // CRITICAL: Host-realm object injected
      page: browserSession.page,
      // ... additional context
    },
  },
});

The vendor patched this implementation in version 10.0.21 by entirely removing the browser object from the injected context. This directly eliminates the primary vector for reaching the browserType().launch() method from within the sandbox environment.

Furthermore, the patch implements a defense-in-depth measure within the Common/Server/Utils/VM/VMRunner.ts file. The developers expanded the BLOCKED_SANDBOX_PROPERTIES Set to explicitly deny access to specific Playwright framework methods. This Proxy configuration intercepts property access and throws an exception if the sandboxed code attempts to reference any of the string values defined in the set.

// Patched Code (10.0.21) - Common/Server/Utils/VM/VMRunner.ts
const BLOCKED_SANDBOX_PROPERTIES: ReadonlySet<string> = new Set([
  "__proto__",
  "prototype",
  "mainModule",
  "browserType", // Added in patch
  "launch", // Added in patch
  "launchPersistentContext", // Added in patch
  "connectOverCDP", // Added in patch
  "newCDPSession", // Added in patch
]);

This two-pronged fix is comprehensive. Removing the browser object eliminates the immediate execution path. Extending the blocklist ensures that even if alternative objects injected into the VM expose these process-spawning methods, the Proxy will intercept and block the property access before execution occurs.

Exploitation requires the attacker to possess an authenticated account on the OneUptime platform with permissions sufficient to create or edit a Synthetic Monitor project. No secondary authentication or internal network access is required, as the application inherently executes user-provided code as part of its core functionality.

The attacker navigates to the Synthetic Monitor configuration interface and embeds a malicious JavaScript payload within the Playwright editor. The platform saves this payload and queues it for execution. When the scheduling engine triggers the monitor, the oneuptime-probe container fetches the payload and executes it via the VMRunner utility.

The proof-of-concept payload directly targets the injected browser object. It invokes browser.browserType().launch() and overrides the default execution parameters. By setting the executablePath to /bin/sh and utilizing the args array to pass the -c flag followed by the target system command, the attacker converts a browser launch request into an arbitrary system command execution.

browser.browserType().launch({
    executablePath: "/bin/sh",
    ignoreDefaultArgs: true,
    args: [
      "-c",
      "id" // Target command for execution
    ],
    timeout: 1000,
  }).catch((err) => {
    console.log(String(err));
  });
 
  return {
    data: {
      launched: true
    }
  };

The oneuptime-probe Node.js process directly spawns the /bin/sh process outside the boundaries of the vm sandbox. The command executes with the permissions of the Node.js user account running within the container. The attacker can capture the standard output and error streams, potentially returning them through the monitor's legitimate logging mechanism or exfiltrating the data via out-of-band network requests.

Exploitation of CVE-2026-30957 yields immediate arbitrary command execution on the oneuptime-probe container. The attacker gains full control over the containerized environment, operating with the privileges assigned to the Node.js application process. This directly compromises the integrity and availability of the monitoring service.

The structural location of the oneuptime-probe container within the broader infrastructure significantly amplifies the impact. These containers often require egress network access to monitor internal and external services. An attacker can leverage a compromised probe as a network pivot point to map internal subnets, access restricted APIs, and launch secondary attacks against internal infrastructure.

Furthermore, the probe container may maintain access to sensitive environmental data. This includes environment variables containing database credentials, internal API tokens, and access to cloud provider metadata services (such as AWS IMDS). An attacker executing arbitrary shell commands can effortlessly extract these secrets, facilitating privilege escalation and lateral movement across the cloud environment.

The vulnerability is scored as a CVSS v3.1 10.0 (Critical) using the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. The Scope parameter is marked as Changed (S:C) because the vulnerability explicitly allows an attacker to breach the intended application sandbox (the Node.js VM) and compromise the underlying execution environment (the host container operating system).

Organizations utilizing OneUptime must upgrade all instances, specifically the oneuptime-probe components, to version 10.0.21 or later. This release permanently removes the insecure API exposure and implements the necessary property blocklist to prevent variant sandbox escape techniques.

If immediate patching is technically infeasible, administrators must strictly control access to the Synthetic Monitor feature. Audit all project memberships and enforce the Principle of Least Privilege. Only highly trusted personnel should possess the roles required to create, modify, or execute Synthetic Monitor configurations.

Deploy defense-in-depth measures at the container level. Ensure that the oneuptime-probe container operates with a non-root user account and drops all unnecessary Linux capabilities. Utilize mandatory access control frameworks, such as AppArmor or SELinux profiles, to explicitly restrict the binaries that the Node.js process is authorized to execute.

Implement stringent network egress filtering for the oneuptime-probe container. Deny access to cloud provider metadata IP addresses (e.g., 169.254.169.254) to prevent credential theft. Restrict internal network access to only the specific endpoints that require monitoring, thereby limiting the blast radius of a successful pivot attack.