OneUptime is a solution for monitoring and managing online services. Prior to 10.0.18, OneUptime allows project members to run custom Playwright/JavaScript code…

OneUptime monitoring solution contains a critical vulnerability in versions prior to 10.0.18 that allows remote code execution through sandbox escape. The vulnerability exists in the Synthetic Monitors feature which executes untrusted JavaScript code in an insecure Node.js vm module. Attackers can exploit prototype-chain escape techniques to bypass the sandbox and execute arbitrary system commands. The vulnerability leads to complete cluster compromise as the probe container contains database and cluster credentials in environment variables. This represents a critical security flaw affecting monitoring infrastructure with severe impact potential.