Impact
OneUptime exposes an OS command injection flaw within the NetworkPathMonitor.performTraceroute() method, allowing any authenticated project user to craft a destination value containing shell metacharacters that are unsafely forwarded to a traceroute system call. This flaw permits arbitrary execution of operating system commands on the Probe server, compromising confidentiality, integrity, and availability by giving attackers full control over that server. The weakness is a classic operating system command injection (CWE‑78).
Affected Systems
The vulnerability affects the OneUptime platform in all releases prior to version 10.0.7, any project that uses a Probe server, and any authenticated user with project‑level privileges who can configure a NetworkPathMonitor. No other vendors, products, or versions are mentioned as impacted.
Risk and Exploitability
The CVSS metric is 10.0, indicating maximum severity; the EPSS score is 2%, suggesting low exploitation probability, yet the flaw is not listed in the KEV catalog. Attackers require a valid user account on the project and can trigger the flaw by submitting a specially crafted traceroute destination. If the attack succeeds, the vulnerability allows execution of arbitrary system commands on the Probe server, which could affect confidentiality, integrity, and availability; the exact scope of impact is not stated in the advisory.
OpenCVE Enrichment
Github GHSA