平台
nodejs
组件
@oneuptime/common
修复版本
10.0.6
10.0.0
CVE-2026-27574 is a critical Remote Code Execution (RCE) vulnerability discovered in the @oneuptime/common package, a component used for creating custom monitors within the OneUptime platform. This vulnerability allows attackers who can register an account to execute arbitrary code on the underlying server, potentially leading to full cluster compromise. The vulnerability affects versions prior to 10.0.0, and a fix has been released in version 10.0.0.
The impact of CVE-2026-27574 is severe. The vulnerability stems from the way OneUptime allows users to define custom JavaScript monitors. These monitors are executed within Node.js using the vm module, which is explicitly documented by Node.js as unsuitable for running untrusted code. An attacker who can register an account can inject malicious JavaScript code into a monitor. This code then executes with the privileges of the OneUptime probe process, which has host networking access and holds all cluster credentials in its environment. This effectively grants the attacker complete control over the cluster, enabling them to steal sensitive data, modify configurations, and potentially pivot to other systems within the network. The attack pattern mirrors scenarios where untrusted code execution within a containerized environment leads to complete container breakout and host compromise.
CVE-2026-27574 was publicly disclosed on February 24, 2026. The vulnerability's severity is high due to the ease of exploitation and the potential for complete cluster compromise. There are currently no known public exploits or active campaigns targeting this vulnerability, but the availability of the underlying vm module exploitation technique makes it a likely target. The vulnerability has been added to the CISA KEV catalog, indicating a heightened risk of exploitation. Public proof-of-concept code is expected to emerge shortly.
Organizations using OneUptime with custom JavaScript monitors are at risk. This includes teams relying on OneUptime for application performance monitoring and those who have granted project members the ability to create and manage custom monitors. Shared hosting environments where multiple users share the same OneUptime instance are particularly vulnerable, as a compromised account could impact all users on the host.
• nodejs / server:
ps aux | grep 'node -e' | grep '@oneuptime/common'• nodejs / server:
journalctl -u oneuptime -g 'VMRunner.t'• generic web: Use curl to check for exposed monitor endpoints and attempt to inject simple JavaScript payloads to test for RCE.
curl 'http://<oneuptime_server>/monitor/execute?script=<malicious_javascript>'disclosure
patch
漏洞利用状态
EPSS
0.02% (6% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-27574 is to immediately upgrade to version 10.0.0 or later of the @oneuptime/common package. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing stricter input validation and sanitization for any user-supplied JavaScript code used in monitors. While not a complete solution, this can reduce the attack surface. Review existing monitors for any suspicious or unusual code. Consider implementing a Web Application Firewall (WAF) with rules to detect and block malicious JavaScript payloads targeting the monitor execution endpoint. Monitor system logs for unusual process activity or unexpected network connections originating from the OneUptime probe process. After upgrading, confirm the fix by attempting to execute a known malicious payload within a monitor and verifying that it is blocked or fails to execute.
将 OneUptime 更新到 10.0.5 或更高版本。此版本修复了监控程序自定义 JavaScript 监控功能的沙箱逃逸漏洞。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-27574 is a critical RCE vulnerability in the @oneuptime/common package, allowing attackers to execute arbitrary code via custom JavaScript monitors, potentially leading to full cluster compromise.
You are affected if you are using @oneuptime/common versions prior to 10.0.0 and have enabled custom JavaScript monitors.
Upgrade to version 10.0.0 or later of the @oneuptime/common package. Implement stricter input validation for user-supplied JavaScript code as a temporary workaround.
While no active exploitation has been confirmed, the vulnerability's severity and ease of exploitation make it a likely target.
Refer to the OneUptime official advisory and release notes for detailed information and updates: [https://oneuptime.io/](https://oneuptime.io/)
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。