DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-27574: OneUptime, One Shell: Escaping the node:vm Sandbox

#security #cve #cybersecurity

OneUptime, One Shell: Escaping the node:vm Sandbox

Vulnerability ID: CVE-2026-27574
CVSS Score: 10.0
Published: 2026-02-24

OneUptime, a popular open-source observability platform, suffered from a catastrophic Remote Code Execution (RCE) vulnerability due to a classic misunderstanding of Node.js internals. By allowing users to create custom JavaScript monitors executed via the built-in node:vm module, the application inadvertently provided a bridge for attackers to escape the sandbox and execute arbitrary commands on the host. With a CVSS score of 10.0, this flaw allows unauthenticated attackers (via open registration) to fully compromise the underlying infrastructure, stealing database credentials and cluster secrets in seconds.

TL;DR

Critical RCE in OneUptime < 10.0.5 allows attackers to escape the 'node:vm' sandbox via custom monitors. Exploitation grants full root access and credential theft.

⚠️ Exploit Status: POC

Technical Details

  • CVSS Score: 10.0 (Critical)
  • CWE ID: CWE-94 (Code Injection)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Impact: Remote Code Execution (RCE)
  • Attack Vector: Network (Authenticated via Registration)
  • Exploit Status: Functional PoC Available

Affected Systems

  • OneUptime Probe
  • OneUptime Server
  • OneUptime Docker Container
  • OneUptime: < 10.0.5 (Fixed in: 10.0.5)

Code Analysis

Commit: 7f9ed4d

fix: security vulnerability in custom javascript monitor

- const vm = require('node:vm');
+ import ivm from 'isolated-vm';
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub: Full exploit chain demonstrating registration, injection, and environment variable exfiltration.

Mitigation Strategies

  • Immediate Patching
  • Disable Custom Scripting
  • Isolate Monitoring Infrastructure

Remediation Steps:

  1. Upgrade OneUptime to version 10.0.5 or later immediately.
  2. If upgrading is impossible, disable the 'Custom JavaScript' monitor feature in the UI settings.
  3. Disable open user registration to prevent unauthenticated attackers from reaching the attack surface.
  4. Rotate all secrets (Database, Redis, OneUptime Secret) as they should be considered compromised if you were running a vulnerable version exposed to the internet.

References

Read the full report for CVE-2026-27574 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)