OneUptime is an open-source monitoring and observability platform. Prior to 10.0.98, OneUptime uses the Node.js' vm module as an isolation primitive. This API was not designed for that and can be escaped via error objects and infinite recursion. This vulnerability is fixed in 10.0.98.
OneUptime uses the built-in Node.js vm module to isolate executed code. The vm module does not provide true security isolation — attackers can escape from it using error objects and infinite recursion. After escaping the sandbox, the attacker's code gains access to the host Node.js environment, exceeding isolation boundaries (scope:changed — S:C in CVSS vector).
An authenticated attacker can remotely execute arbitrary code in the server context (RCE), gaining full control over confidentiality, integrity, and availability of the system, potentially affecting resources beyond the directly attacked application.
OneUptime should be updated to version 10.0.98 or newer, where the vulnerability has been fixed. Details available in the official security advisory on GitHub: GHSA-g9cp-35m2-fjv6
OneUptime (open-source) in all versions prior to 10.0.98
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H