Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
📦 npm

GHSA-4j36-39gm-8vq8

CRITICAL

OneUptime: Synthetic Monitor RCE via exposed Playwright browser object

Also known asCVE-2026-30921
Published
Mar 7, 2026
Updated
Mar 10, 2026
Affected
1 pkg
Patched
1 / 1
Exploits
None indexed

EPSS Exploitation Probability

via FIRST.org ↗
0.4%probability of exploitation in next 30 days
Lower Risk35th percentile+0.42%
0.00%0.32%0.63%0.95%0.0%0.0%0.0%0.4%Apr 26Jun 26Jun 26

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

1 pkg affected
📦@oneuptime/common

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects npm packages — download data is not available via public APIs for these ecosystems.

Description

Summary

OneUptime Synthetic Monitors allow low-privileged project users to submit custom Playwright code that is executed on the oneuptime-probe service. In the current implementation, this untrusted code is run inside Node's vm and is given live host Playwright objects such as browser and page.

This creates a distinct server-side RCE primitive: the attacker does not need the classic this.constructor.constructor(...) sandbox escape. Instead, the attacker can directly use the injected Playwright browser object to reach browser.browserType().launch(...) and spawn an arbitrary executable on the probe host/container.

This appears to be a separate issue from the previously published node:vm(GHSA-h343-gg57-2q67) breakout advisory because the root cause here is exposure of a dangerous host capability object to untrusted code, not prototype-chain access to process.

Details

A normal project member can create or edit monitors and monitor tests:

The dashboard exposes a Playwright code editor for Synthetic Monitors and allows the user to queue a test run:

The probe worker polls queued monitor tests and executes them:

For MonitorType.SyntheticMonitor, the user-controlled customCode is passed into SyntheticMonitor.execute(...):

SyntheticMonitor.execute(...) then runs that code through VMRunner.runCodeInNodeVM(...) and injects the live Playwright browser and page objects into the VM context:

VMRunner.runCodeInNodeVM(...) creates a Node vm context and exposes host objects into it, including the additional context objects:

The proxy wrapper blocks only a small set of property names and still forwards normal method calls with the real host this binding. Because of that, untrusted monitor code can still use legitimate Playwright methods on the injected browser object.

That is enough for code execution because Playwright's Browser exposes browserType(), and BrowserType.launch() accepts attacker-controlled process launch options such as executablePath, args, and ignoreDefaultArgs. An attacker can therefore cause the probe to spawn an arbitrary executable. Even if Playwright later errors because the spawned process is not a real browser, the command has already executed.

This same execution path is also used for normal scheduled monitors, not only one-shot monitor tests:

As a result, the issue can be abused either as a one-shot RCE via Test Monitor or as a persistent scheduled RCE by saving a malicious Synthetic Monitor.

PoC

  1. Log in as any user with normal project membership.
  2. Go to Monitors -> Create New Monitor.
  3. Select Synthetic Monitor.
  4. In Playwright Code, paste the following script:
 const HostFunction =
    Object.getOwnPropertyDescriptor(console, "log").value.constructor;

  return {
    data: {
      node: HostFunction('return process.version')(),
      cwd: HostFunction('return process.cwd()')(),
      id: HostFunction(
        'return process.getBuiltinModule("child_process").execSync("id").toString()'
      )(),
    },
  };
  1. Select any one browser type, for example Chromium.
  2. Select any one screen type, for example Desktop.
  3. Set retry count to 0.
  4. Click Test Monitor and choose a probe.

Expected result:

  • the monitor execution succeeded and in the Show More Details the command output is shown. <img width="899" height="249" alt="image" src="https://github.com/user-attachments/assets/98ebd26f-431b-438e-9459-7deeebf97b18" />

Impact

This is a server-side Remote Code Execution issue affecting the probe component.

Who is impacted:

  • any OneUptime deployment where an attacker can obtain ordinary project membership
  • environments where the probe has access to internal services, secrets, Kubernetes metadata, database credentials, proxy credentials, or other cluster-local trust relationships

Affected Packages

1 total 1 fixed
EcosystemPackageVulnerable rangeFix
📦npm@oneuptime/commonall versions10.0.20

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for @oneuptime/common. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update @oneuptime/common to 10.0.20 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-4j36-39gm-8vq8 is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-4j36-39gm-8vq8 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-4j36-39gm-8vq8. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

Summary OneUptime Synthetic Monitors allow low-privileged project users to submit custom Playwright code that is executed on the `oneuptime-probe` service. In the current implementation, this untrusted code is run inside Node's `vm` and is given live host Playwright objects such as `browser` and `page`. This creates a distinct server-side RCE primitive: the attacker does not need the classic `this.constructor.constructor(...)` sandbox escape. Instead, the attacker can directly use the injected Playwright `browser` object to reach `browser.browserType().launch(...)` and spawn an arbitrary exe
O3 Security · Impact-Aware SCA

Is GHSA-4j36-39gm-8vq8 in your dependencies?

O3 detects GHSA-4j36-39gm-8vq8 across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works