Description
OneUptime is an open-source monitoring and observability platform. Prior to 10.0.98, OneUptime uses the Node.js' vm module as an isolation primitive. This API was not designed for that and can be escaped via error objects and infinite recursion. This vulnerability is fixed in 10.0.98.
Published: 2026-05-27
Score: 9.9 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from the misuse of the Node.js vm module as an isolation primitive in OneUptime. The module was not designed for this use and can be escaped through error objects and infinite recursion, allowing an attacker to execute arbitrary code on the host. The weakness falls under CWE‑693, and the outcome is a remote code execution that compromises confidentiality, integrity, and availability of the affected system.

Affected Systems

OneUptime (open‑source monitoring and observability platform) is impacted. All deployments running a version prior to 10.0.98 are vulnerable. The fix is incorporated in release 10.0.98 and later.

Risk and Exploitability

The CVSS score of 9.9 indicates a very high severity. The EPSS value is unavailable, so the precise exploitation probability cannot be quantified, but the lack of KEV listing suggests no widespread active exploitation yet. Nevertheless, because the flaw permits arbitrary code execution, it can be exploited over the network if the attacker can invoke a vulnerable execution path. The attack likely requires crafting input that triggers an error object or causes stack overflows through infinite recursion, which could be achieved via API calls or UI interactions.

Generated by OpenCVE AI on May 27, 2026 at 20:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OneUptime to version 10.0.98 or newer to apply the fixed vm module usage.
  • If an upgrade is not immediately feasible, restrict or remove any feature that could invoke error objects or recursive calls in the application logic, and enforce strict input validation to prevent infinite recursion.
  • Keep the Node.js runtime and other dependencies on the latest security releases, and apply network controls such as a WAF to filter suspicious payloads.

Generated by OpenCVE AI on May 27, 2026 at 20:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description OneUptime is an open-source monitoring and observability platform. Prior to 10.0.98, OneUptime uses the Node.js' vm module as an isolation primitive. This API was not designed for that and can be escaped via error objects and infinite recursion. This vulnerability is fixed in 10.0.98.
Title OneUptime: RCE due to Node.js' vm module escape via error objects and infinite recursion
Weaknesses CWE-693
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T18:50:19.418Z

Reserved: 2026-05-08T19:27:26.699Z

Link: CVE-2026-45102

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-27T20:16:38.250

Modified: 2026-05-27T20:16:38.250

Link: CVE-2026-45102

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T21:00:14Z

Weaknesses