A critical sandbox escape vulnerability in OneUptime allows for remote code execution by bypassing the Node.js vm module isolation.

The application utilizes the Node.js vm module for code isolation, which is not designed for security; attackers can escape this sandbox via error objects and recursion.

With a CVSS score of 9.9, this vulnerability permits an attacker to escape the intended execution environment and perform arbitrary code execution on the host. This poses a critical threat to the security and stability of the OneUptime platform.

Immediate Action: Upgrade OneUptime to version 10.0.98 or later to remediate the sandbox escape vulnerability.

Proactive Monitoring: Monitor for abnormal system calls or unauthorized filesystem access originating from the OneUptime application process.

Compensating Controls: Run the application with restricted OS-level permissions (e.g., using containers or sandboxing technologies) to mitigate the impact of a potential escape.

Public Exploit Available: Unknown

The use of the vm module for security isolation is inherently flawed. Administrators must update to the latest version immediately to ensure that more robust security primitives are in place.