OneUptime: RCE due to Node.js’ vm module escape via error...

9.9 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Description

OneUptime is an open-source monitoring and observability platform. Prior to 10.0.98, OneUptime uses the Node.js' vm module as an isolation primitive. This API was not designed for that and can be escaped via error objects and infinite recursion. This vulnerability is fixed in 10.0.98.

AI Analysis

Remote Code Execution due to Node.js' vm module escape via error objects and infinite recursion

Basic Information

ID CVE-2026-45102

Source GitHub_M

Published May 27, 2026 at 18:50

Affected Product

Vendor OneUptime

Product oneuptime

Version < 10.0.98

Affected Versions OneUptime oneuptime < 10.0.98

CWE Classification

CWE-693

AI Assessment

AI Score 9.9 / 10

AI Severity Critical

Vendor OneUptime

Product OneUptime

Version < 10.0.98

References

github.com /OneUptime/oneuptime/security/advisories/GHSA-g9cp-35m2-fjv6

{
    "lastseen": "",
    "description": "OneUptime is an open-source monitoring and observability platform. Prior to 10.0.98, OneUptime uses the Node.js' vm module as an isolation primitive. This API was not designed for that and can be escaped via error objects and infinite recursion. This vulnerability is fixed in 10.0.98.",
    "published": "2026-05-27T18:50:19.418Z",
    "modified": "2026-05-27T18:50:19.418Z",
    "type": "cve",
    "title": "OneUptime: RCE due to Node.js' vm module escape via error objects and infinite recursion",
    "source": "GitHub_M",
    "references": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-g9cp-35m2-fjv6",
    "id": "CVE-2026-45102",
    "bulletinFamily": "",
    "cwe": [
        "CWE-693"
    ],
    "cvelist": null,
    "sourceData": "OneUptime oneuptime < 10.0.98",
    "sourceHref": "",
    "cvss": {
        "score": 9.9,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "oneuptime",
    "version": "< 10.0.98",
    "vendor": "OneUptime",
    "ai_description": "Remote Code Execution due to Node.js' vm module escape via error objects and infinite recursion",
    "ai_severity": "Critical",
    "ai_vendor": "OneUptime",
    "ai_product": "OneUptime",
    "ai_version": "< 10.0.98",
    "ai_score": 9.9
}

OneUptime: RCE due to Node.js’ vm module escape via error objects and infinite recursion_CVE-2026-45102