DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-H343-GG57-2Q67: CVE-2026-27574: Remote Code Execution in OneUptime Probe via VM Sandbox Escape

#security #cve #cybersecurity

CVE-2026-27574: Remote Code Execution in OneUptime Probe via VM Sandbox Escape

Vulnerability ID: GHSA-H343-GG57-2Q67
CVSS Score: 10.0
Published: 2026-03-07

A critical Remote Code Execution (RCE) vulnerability exists in the OneUptime Probe component due to unsafe execution of user-supplied JavaScript. The application leverages the standard Node.js vm module to run Synthetic Monitors, which fails to provide a secure security boundary. Authenticated attackers, including low-privileged project members, can break out of the sandbox using prototype chain traversal to access the host process. This grants full access to the underlying server and critical cluster credentials, including database passwords and the master secret.

TL;DR

The OneUptime Probe executes user-defined monitoring scripts using the insecure Node.js vm module. Attackers can escape this sandbox via this.constructor.constructor, gaining full RCE on the host and access to all cluster secrets. Fixed in version 10.0.5 by migrating to isolated-vm.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-94
  • CVSS v3.1: 10.0 (Critical)
  • Attack Vector: Network
  • EPSS Score: 0.00055
  • Privileges Required: Low (Project Member)
  • Exploit Status: PoC Available

Affected Systems

  • OneUptime Probe
  • OneUptime Synthetic Monitor Component
  • OneUptime: <= 9.5.13 (Fixed in: 10.0.5)

Code Analysis

Commit: 7f9ed4d

fix: security vulnerability in probe

Diff shows removal of 'node:vm' usage and introduction of 'isolated-vm' logic in SyntheticMonitor/Worker.ts
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Upgrade to version 10.0.5 or later
  • Rotate all cluster secrets (Database, Redis, OneUptime Secret)
  • Disable Synthetic Monitor functionality if patching is delayed
  • Restrict 'Project Member' access to trusted personnel

Remediation Steps:

  1. Pull the latest OneUptime Docker images (tag 10.0.5+).
  2. Redeploy the OneUptime Probe and API services.
  3. Generate new passwords for PostgreSQL, Redis, and ClickHouse.
  4. Update the ONEUPTIME_SECRET variable in the deployment configuration.
  5. Restart the entire cluster to apply the new credentials.
  6. Verify that existing monitors continue to function correctly.

References

Read the full report for GHSA-H343-GG57-2Q67 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)