CVE-2025-65966
📋 TL;DR
In OneUptime version 9.0.5598, low-permission users can bypass the intended user interface and create new accounts directly through API requests. This improper authorization vulnerability affects all deployments running the vulnerable version. The issue has been addressed in version 9.1.0.
💻 Affected Systems
- OneUptime
📦 What is this software?
Oneuptime by Hackerbay
⚠️ Risk & Real-World Impact
Worst Case
An attacker with low privileges could create multiple administrative accounts, potentially gaining full control over the monitoring system and compromising monitored services.
Likely Case
Low-privilege users create unauthorized accounts to expand their access or create backdoor accounts for persistence.
If Mitigated
With proper access controls and monitoring, unauthorized account creation attempts would be detected and blocked.
🎯 Exploit Status
Exploitation requires low-privilege user access but is straightforward through direct API calls.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.1.0
Vendor Advisory: https://github.com/OneUptime/oneuptime/security/advisories/GHSA-m449-vh5f-574g
Restart Required: Yes
Instructions:
1. Backup your current OneUptime installation and data. 2. Update to version 9.1.0 or later using your deployment method (Docker, Kubernetes, etc.). 3. Restart the OneUptime services. 4. Verify the update was successful.
🔧 Temporary Workarounds
API Access Restriction
allImplement network-level restrictions to limit API access to trusted sources only.
# Use firewall rules to restrict access to OneUptime API endpoints
# Example: iptables -A INPUT -p tcp --dport [API_PORT] -s [TRUSTED_IP] -j ACCEPT
# iptables -A INPUT -p tcp --dport [API_PORT] -j DROP
Enhanced Monitoring
allImplement logging and alerting for account creation events.
# Configure OneUptime to log all account creation attempts
# Set up alerts for suspicious account creation patterns
🧯 If You Can't Patch
- Implement strict access controls and monitor all account creation activities.
- Consider temporarily disabling low-privilege user access to account management functions.
🔍 How to Verify
Check if Vulnerable:
Check your OneUptime version. If it's exactly 9.0.5598, you are vulnerable.Check Version:
Check the OneUptime web interface admin panel or run: docker ps | grep oneuptime (if using Docker)Verify Fix Applied:
After updating, verify the version is 9.1.0 or later and test that low-privilege users cannot create accounts via direct API calls.📡 Detection & Monitoring
Log Indicators:
- Multiple account creation events from low-privilege users
- API requests to account creation endpoints from unauthorized sources
Network Indicators:
- Unusual API call patterns to user management endpoints
- Account creation requests bypassing the web interface
SIEM Query:
source="oneuptime" AND (event_type="account_creation" OR api_endpoint="/api/user") AND user_role="low_privilege"