Skip to content

Commit 3f83ecb

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-4j36-39gm-8vq8 GHSA-pm4j-7r4q-ccg8
1 parent 2c97e2d commit 3f83ecb

File tree

2 files changed

+146
-0
lines changed

2 files changed

+146
-0
lines changed

advisories/github-reviewed/2026/03/GHSA-4j36-39gm-8vq8/GHSA-4j36-39gm-8vq8.json

Lines changed: 91 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,91 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-4j36-39gm-8vq8",
4+
"modified": "2026-03-07T02:39:04Z",
5+
"published": "2026-03-07T02:39:04Z",
6+
"aliases": [],
7+
"summary": "OneUptime: Synthetic Monitor RCE via exposed Playwright browser object",
8+
"details": "Summary\n\nOneUptime Synthetic Monitors allow low-privileged project users to submit custom Playwright code that is executed on the `oneuptime-probe` service. In the current implementation, this untrusted code is run inside Node's `vm` and is given live host Playwright objects such as `browser` and `page`.\n\nThis creates a distinct server-side RCE primitive: the attacker does not need the classic `this.constructor.constructor(...)` sandbox escape. Instead, the attacker can directly use the injected Playwright `browser` object to reach `browser.browserType().launch(...)` and spawn an arbitrary executable on the probe host/container.\n\nThis appears to be a separate issue from the previously published `node:vm(GHSA-h343-gg57-2q67)` breakout advisory because the root cause here is exposure of a dangerous host capability object to untrusted code, not prototype-chain access to `process`.\n\n## Details\n\nA normal project member can create or edit monitors and monitor tests:\n\n- https://github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/Common/Models/DatabaseModels/Monitor.ts#L45-L78\n- https://github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/Common/Models/DatabaseModels/MonitorTest.ts#L27-L60\n\nThe dashboard exposes a Playwright code editor for Synthetic Monitors and allows the user to queue a test run:\n\n- https://github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/App/FeatureSet/Dashboard/src/Components/Form/Monitor/MonitorStep.tsx#L861-L918\n- https://github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/App/FeatureSet/Dashboard/src/Components/Form/Monitor/MonitorTest.tsx#L66-L84\n\nThe probe worker polls queued monitor tests and executes them:\n\n- https://github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/Probe/Jobs/Monitor/FetchMonitorTest.ts#L55-L85\n\nFor `MonitorType.SyntheticMonitor`, the user-controlled `customCode` is passed into `SyntheticMonitor.execute(...)`:\n\n- https://github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/Probe/Utils/Monitors/Monitor.ts#L323-L338\n\n`SyntheticMonitor.execute(...)` then runs that code through `VMRunner.runCodeInNodeVM(...)` and injects the live Playwright `browser` and `page` objects into the VM context:\n\n- https://github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/Probe/Utils/Monitors/MonitorTypes/SyntheticMonitor.ts#L156-L168\n\n`VMRunner.runCodeInNodeVM(...)` creates a Node `vm` context and exposes host objects into it, including the additional context objects:\n\n- https://github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/Common/Server/Utils/VM/VMRunner.ts#L323-L405\n\nThe proxy wrapper blocks only a small set of property names and still forwards normal method calls with the real host `this` binding. Because of that, untrusted monitor code can still use legitimate Playwright methods on the injected `browser` object.\n\nThat is enough for code execution because Playwright's `Browser` exposes `browserType()`, and `BrowserType.launch()` accepts attacker-controlled process launch options such as `executablePath`, `args`, and `ignoreDefaultArgs`. An attacker can therefore cause the probe to spawn an arbitrary executable. Even if Playwright later errors because the spawned process is not a real browser, the command has already executed.\n\nThis same execution path is also used for normal scheduled monitors, not only one-shot monitor tests:\n\n- https://github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/Probe/Jobs/Monitor/FetchList.ts#L110-L121\n\nAs a result, the issue can be abused either as a one-shot RCE via `Test Monitor` or as a persistent scheduled RCE by saving a malicious Synthetic Monitor.\n\n### PoC\n\n1. Log in as any user with normal project membership.\n2. Go to `Monitors -> Create New Monitor`.\n3. Select `Synthetic Monitor`.\n4. In `Playwright Code`, paste the following script:\n\n```javascript\n const HostFunction =\n Object.getOwnPropertyDescriptor(console, \"log\").value.constructor;\n\n return {\n data: {\n node: HostFunction('return process.version')(),\n cwd: HostFunction('return process.cwd()')(),\n id: HostFunction(\n 'return process.getBuiltinModule(\"child_process\").execSync(\"id\").toString()'\n )(),\n },\n };\n\n```\n\n5. Select any one browser type, for example `Chromium`.\n6. Select any one screen type, for example `Desktop`.\n7. Set retry count to `0`.\n8. Click `Test Monitor` and choose a probe.\n\nExpected result:\n\n- the monitor execution succeeded and in the `Show More Details` the command output is shown.\n<img width=\"899\" height=\"249\" alt=\"image\" src=\"https://github.com/user-attachments/assets/98ebd26f-431b-438e-9459-7deeebf97b18\" />\n\n\n\n### Impact\n\nThis is a server-side `Remote Code Execution` issue affecting the probe component.\n\nWho is impacted:\n\n- any OneUptime deployment where an attacker can obtain ordinary project membership\n- environments where the probe has access to internal services, secrets, Kubernetes metadata, database credentials, proxy credentials, or other cluster-local trust relationships",
9+
"severity": [
10+
{
11+
"type": "CVSS_V3",
12+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"
13+
}
14+
],
15+
"affected": [
16+
{
17+
"package": {
18+
"ecosystem": "npm",
19+
"name": "@oneuptime/common"
20+
},
21+
"ranges": [
22+
{
23+
"type": "ECOSYSTEM",
24+
"events": [
25+
{
26+
"introduced": "0"
27+
},
28+
{
29+
"fixed": "10.0.20"
30+
}
31+
]
32+
}
33+
]
34+
}
35+
],
36+
"references": [
37+
{
38+
"type": "WEB",
39+
"url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-4j36-39gm-8vq8"
40+
},
41+
{
42+
"type": "PACKAGE",
43+
"url": "https://github.com/OneUptime/oneuptime"
44+
},
45+
{
46+
"type": "WEB",
47+
"url": "https://github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/App/FeatureSet/Dashboard/src/Components/Form/Monitor/MonitorStep.tsx#L861-L918"
48+
},
49+
{
50+
"type": "WEB",
51+
"url": "https://github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/App/FeatureSet/Dashboard/src/Components/Form/Monitor/MonitorTest.tsx#L66-L84"
52+
},
53+
{
54+
"type": "WEB",
55+
"url": "https://github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/Common/Models/DatabaseModels/Monitor.ts#L45-L78"
56+
},
57+
{
58+
"type": "WEB",
59+
"url": "https://github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/Common/Models/DatabaseModels/MonitorTest.ts#L27-L60"
60+
},
61+
{
62+
"type": "WEB",
63+
"url": "https://github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/Common/Server/Utils/VM/VMRunner.ts#L323-L405"
64+
},
65+
{
66+
"type": "WEB",
67+
"url": "https://github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/Probe/Jobs/Monitor/FetchList.ts#L110-L121"
68+
},
69+
{
70+
"type": "WEB",
71+
"url": "https://github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/Probe/Jobs/Monitor/FetchMonitorTest.ts#L55-L85"
72+
},
73+
{
74+
"type": "WEB",
75+
"url": "https://github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/Probe/Utils/Monitors/Monitor.ts#L323-L338"
76+
},
77+
{
78+
"type": "WEB",
79+
"url": "https://github.com/OneUptime/oneuptime/blob/8e90f451426b160718bdd1796b68c5ec15318101/Probe/Utils/Monitors/MonitorTypes/SyntheticMonitor.ts#L156-L168"
80+
}
81+
],
82+
"database_specific": {
83+
"cwe_ids": [
84+
"CWE-749"
85+
],
86+
"severity": "CRITICAL",
87+
"github_reviewed": true,
88+
"github_reviewed_at": "2026-03-07T02:39:04Z",
89+
"nvd_published_at": null
90+
}
91+
}

advisories/github-reviewed/2026/03/GHSA-pm4j-7r4q-ccg8/GHSA-pm4j-7r4q-ccg8.json

Lines changed: 55 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,55 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-pm4j-7r4q-ccg8",
4+
"modified": "2026-03-07T02:39:44Z",
5+
"published": "2026-03-07T02:39:44Z",
6+
"aliases": [],
7+
"summary": "Soroban: Muxed address<->ScVal conversions may break after a conversion failure",
8+
"details": "### Summary\n\nSoroban host ensures that `MuxedAddress` objects can't be used as storage keys in order to proactively prevent the contract logic bugs. However, due to a bug in Soroban host implementation, a failure in `Val`->`ScVal` conversion during the storage key computation will have the flag indicating that storage conversion is happening stuck in the `true` state until the next storage access. While the flag is stuck in `true` state, any `MuxedAddress` object conversions to `ScVal` will fail, i.e. a failure will occur if a `MuxedAddress` is emitted in the event or is serialized to XDR via a host function.\n\n### Impact\n\nThe bug may cause unexpected contract failures in the rare edge case scenarios. In the worst case scenario the whole transaction will fail and the changes will be rolled back. Because the contract call is simply rolled back, there is no risk of the state corruption.\n\nAn example scenario that would be affected by the bug is as follows:\n\n- Contract A calls contract B via `try_call`\n- Contract B calls a storage function (e.g. `put_contract_data`) with a non-convertible `Val` as a key (e.g. a `MuxedAddress` object, or a deeply nested vector)\n- Contract B fails\n- Contract A handles the failure gracefully and proceeds without accessing any storage methods\n- Contract A tries to emit an event with a `MuxedAddress` argument. That should be allowed, but instead of succeeding, contract A fails.\n\n### Patches\n\nThe bug will be fixed in protocol 26.\n\n### Workarounds\n\nWe believe that the bug is highly unlikely to occur in practice, as it involves three rare events happening simultaneously: `Val` conversion failure (these should normally not occur for the audited protocols), graceful handling of a cross-contract call failure (most protocols need cross-contract calls to succeed, or fail with a contract error), and `MuxedAddress` write (most of the contracts don't support `MuxedAddress` at all).\n\nIn the case if the bug does occur, the mitigation depends on the reason of the value conversion failure:\n\n- If the conversion failure has been caused by a malicious contract, then either no action is necessary (because the whole interaction is malicious and has been correctly rolled back), or the contract invocation should be replaced by a non-malicious contract\n- If the conversion failure has been caused by a bad user input for a non-malicious contract (e.g. a bad user input passed to a legitimate protocol), then the user input has to be fixed\n\nIn both scenarios the mitigation is to basically retry the transaction with proper arguments.",
9+
"severity": [
10+
{
11+
"type": "CVSS_V4",
12+
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U"
13+
}
14+
],
15+
"affected": [
16+
{
17+
"package": {
18+
"ecosystem": "crates.io",
19+
"name": "soroban-env-host"
20+
},
21+
"ranges": [
22+
{
23+
"type": "ECOSYSTEM",
24+
"events": [
25+
{
26+
"introduced": "0"
27+
},
28+
{
29+
"fixed": "26.0.0"
30+
}
31+
]
32+
}
33+
]
34+
}
35+
],
36+
"references": [
37+
{
38+
"type": "WEB",
39+
"url": "https://github.com/stellar/rs-soroban-env/security/advisories/GHSA-pm4j-7r4q-ccg8"
40+
},
41+
{
42+
"type": "PACKAGE",
43+
"url": "https://github.com/stellar/rs-soroban-env"
44+
}
45+
],
46+
"database_specific": {
47+
"cwe_ids": [
48+
"CWE-681"
49+
],
50+
"severity": "LOW",
51+
"github_reviewed": true,
52+
"github_reviewed_at": "2026-03-07T02:39:44Z",
53+
"nvd_published_at": null
54+
}
55+
}

0 commit comments

Comments
 (0)