VYPR
← All advisories
Critical severity9.9NVD Advisory· Published May 27, 2026

CVE-2026-45102

CVE-2026-45102

Description

OneUptime is an open-source monitoring and observability platform. Prior to 10.0.98, OneUptime uses the Node.js' vm module as an isolation primitive. This API was not designed for that and can be escaped via error objects and infinite recursion. This vulnerability is fixed in 10.0.98.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

OneUptime prior to 10.0.98 uses Node.js vm module for sandboxing, which can be escaped via error objects and infinite recursion, leading to RCE.

Vulnerability

OneUptime, an open-source monitoring and observability platform, uses the Node.js vm module as an isolation primitive in versions prior to 10.0.98. This API was never designed for security sandboxing and can be escaped through multiple techniques. The VMRunner attempts to block dangerous properties like constructor, __proto__, prototype, mainModule, and certain Playwright methods, but this blocklist is insufficient. An attacker can exploit error objects and infinite recursion to break out of the sandbox [1].

Exploitation

An attacker with authenticated access to the OneUptime dashboard can craft a malicious script that, when executed by the vm module, escapes the sandbox by manipulating error objects or triggering infinite recursion. The official advisory provides a proof-of-concept that demonstrates how to bypass the blocked properties and gain code execution outside the sandbox [1]. No additional user interaction beyond submitting the crafted script is required.

Impact

Successful exploitation allows an attacker to achieve remote code execution (RCE) on the server running OneUptime. This compromises the confidentiality, integrity, and availability of the system, as the attacker can execute arbitrary Node.js code outside the sandbox with the privileges of the application process [1].

Mitigation

The vulnerability is fixed in OneUptime version 10.0.98, released on or before the publication date of 2026-05-27. Users should upgrade to version 10.0.98 or later. No workarounds are available; the recommended long-term mitigation is to remove the vm-based isolation entirely and rely on the isolated-vm option, which uses a more robust native isolation mechanism [1].

References
  1. RCE due to Node.js' vm module escape via error objects and infinite recursion

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Oneuptime/Oneuptimeinferred2 versions
    <10.0.98+ 1 more
    • (no CPE)range: <10.0.98
    • (no CPE)range: <10.0.98

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Node.js' vm module is used as an isolation primitive despite not being designed for security confinement, allowing escape via error objects and prototype chain traversal."

Attack vector

An authenticated attacker with project member access navigates to Monitors → Create New Monitor → Synthetic Monitor and pastes a crafted payload into the Playwright code field [ref_id=1]. The payload uses infinite recursion to trigger an error, then accesses the error object's `__proto__` chain to reach the global `Function` constructor, bypassing the sandbox's blocked-property list [ref_id=1]. The attacker selects a browser type and screen type, sets retry count to 0, and clicks Test Monitor with any probe, causing the payload to execute arbitrary shell commands on the server [ref_id=1].

Affected code

The vulnerability resides in the `VMRunner` component, which uses Node.js' `vm` module as an isolation primitive. The sandbox blocks properties like `constructor`, `__proto__`, `prototype`, `mainModule`, and several Playwright methods, but this blocklist is insufficient to prevent escape [ref_id=1].

What the fix does

The advisory recommends removing the `vm`-based isolation entirely and keeping only the `isolated-vm` option, as the `vm` module was not designed for security isolation and has known escape vectors [ref_id=1]. The fix in version 10.0.98 addresses this by no longer relying on the `vm` module as a sandbox primitive. No patch diff is provided in the bundle, but the advisory explicitly states the vulnerability is fixed in 10.0.98 [ref_id=1].

Preconditions

  • authAttacker must have a valid account with project member access to the OneUptime dashboard
  • networkAttacker must be able to access the Synthetic Monitor creation page
  • inputAttacker must be able to paste arbitrary JavaScript into the Playwright code field

Reproduction

Log in to the dashboard as a regular project member. Go to Monitors → Create New Monitor → Select Synthetic Monitor. In the Playwright code field, paste the PoC payload provided in the advisory. Select one browser type (e.g. Chromium) and one screen type (e.g. Desktop). Set retry count to 0. Click Test Monitor and choose any probe. The results will display the contents of `/etc/passwd`, confirming remote code execution [ref_id=1].

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.