N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-675q-66gf-gqg8

EPSS Score

CWE

CWE-284

Published

11/25/2025

Updated

11/25/2025

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-675q-66gf-gqg8

GHSA-675q-66gf-gqg8: OneUptime is Vulnerable to Privilege Escalation via Login Response Manipulation

Summary

During the login process, the server response included a parameter called isMasterAdmin. By intercepting and modifying this parameter value from false to true, a user is able to gain access to the admin dashboard interface. However, despite accessing the admin panel, the user does not have sufficient permissions to view or interact with actual data.

PoC

Intercept the login response and change "isMasterAdmin": false → "isMasterAdmin": true <img width="1405" height="567" alt="image" src="https://github.com/user-attachments/assets/7036398b-bb41-46c1-b66a-e49ec2bc3abb" /> <img width="1533" height="476" alt="2" src="https://github.com/user-attachments/assets/4efcaef5-a939-4729-be43-3af62a7d02f8" />

Impact

The admin dashboard is viewable.

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-675q-66gf-gqg8

GHSA-675q-66gf-gqg8:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-675q-66gf-gqg8

EPSS Score

CWE

CWE-284

Published

11/25/2025

Updated

11/25/2025

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@oneuptime/common	npm	< 8.0.5567	8.0.5567

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the lack of server-side authorization when serving the OneUptime Admin Dashboard. The system improperly trusted a client-side parameter, isMasterAdmin, which could be manipulated by a user during the login process. The fixing commit 3e72b2a9a4f50f98cf1f6cf13fa3e405715bb370 reveals that the init function in AdminDashboard/Serve.ts was responsible for setting up the admin dashboard. Prior to the patch, this function initialized the application without any server-side checks to confirm if the user was a master admin. The patch rectifies this by introducing a new function, ensureMasterAdminAccess, which validates the user's role by decoding their JSON Web Token (JWT) on the server. This check is now hooked into the application's initialization process within the init function. Therefore, the init function is identified as the vulnerable function because it was the entry point for serving the admin dashboard without proper access control.

Vulnerable functions

init

AdminDashboard/Serve.ts

The `init` function in `AdminDashboard/Serve.ts` is responsible for initializing the admin dashboard application. Before the patch, this function called `App.init` without providing a mechanism to verify user permissions on the server. This meant that any user, regardless of their actual privileges, could access the admin dashboard's front-end if they could manipulate the client-side `isMasterAdmin` flag to `true`. The vulnerability was the absence of a server-side authorization check before serving the admin dashboard content. The patch introduces the `ensureMasterAdminAccess` function, which is passed to `App.init` to perform this check using a JWT, thus mitigating the vulnerability.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-675q-66gf-gqg8: OneUptime is Vulnerable to Privilege Escalation via Login Response Manipulation

Summary

PoC

Impact

GHSA-675q-66gf-gqg8:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Basic Information

Basic Information

GHSA-675q-66gf-gqg8: OneUptime is Vulnerable to Privilege Escalation via Login Response Manipulation

Summary

PoC

Impact

N/A

N/A

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI