CVE-2026-30887 Overview
CVE-2026-30887 is a critical Code Injection vulnerability in OneUptime, an open-source solution for monitoring and managing online services. Prior to version 10.0.18, OneUptime allows project members to run custom Playwright/JavaScript code via Synthetic Monitors to test websites. However, the system executes this untrusted user code inside the insecure Node.js vm module. By leveraging a standard prototype-chain escape (this.constructor.constructor), an attacker can bypass the sandbox, gain access to the underlying Node.js process object, and execute arbitrary system commands (RCE) on the oneuptime-probe container.
Critical Impact
This vulnerability enables authenticated attackers with project member access to completely compromise the OneUptime infrastructure. Because the probe holds database/cluster credentials in its environment variables, successful exploitation directly leads to complete cluster compromise including access to all monitoring data, credentials, and connected systems.
Affected Products
- Hackerbay OneUptime versions prior to 10.0.18
- OneUptime Synthetic Monitor functionality
- OneUptime-probe container deployments
Discovery Timeline
- 2026-03-10 - CVE CVE-2026-30887 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-30887
Vulnerability Analysis
This vulnerability (CWE-94: Improper Control of Generation of Code) stems from OneUptime's use of the Node.js vm module to sandbox user-supplied JavaScript code in its Synthetic Monitors feature. The vm module is documented by Node.js as not being a security mechanism and should never be used to run untrusted code. Despite this warning, OneUptime relied on it to isolate user-provided monitoring scripts.
The exploitation technique leverages JavaScript's prototype chain to escape the sandbox context. When user code executes within the vm sandbox, it can access the constructor of the sandbox's this object, then access that constructor's constructor (which is Function), allowing creation of functions in the parent context outside the sandbox. This classic sandbox escape technique provides direct access to Node.js globals including the process object.
Once an attacker has access to the process object, they can leverage process.mainModule.require or similar techniques to load the child_process module and execute arbitrary system commands on the underlying oneuptime-probe container. The severity is compounded by the fact that this container stores database and cluster credentials in environment variables, accessible via process.env, enabling full infrastructure compromise.
Root Cause
The root cause is the improper use of the Node.js vm module as a security sandbox for executing untrusted user code. The vm module creates a separate V8 context but does not provide isolation from the parent process. JavaScript's prototype chain allows code within the sandbox to traverse up to constructors in the parent context, completely bypassing the intended isolation. This architectural decision to use vm instead of proper isolation mechanisms like separate processes with restricted permissions, Web Workers, or containerized execution environments created this critical vulnerability.
Attack Vector
The attack requires authenticated access with project member privileges in a OneUptime deployment. An attacker with these permissions can create or modify a Synthetic Monitor with malicious JavaScript code. When the monitor executes, the payload escapes the vm sandbox using the prototype-chain technique, gains access to the Node.js runtime, and executes arbitrary commands. The attack is network-accessible and does not require user interaction beyond the initial authentication.
The exploitation flow proceeds as follows: the attacker crafts JavaScript that uses this.constructor.constructor to access the Function constructor outside the sandbox, creates a function that returns the process global, uses process.mainModule.require to load child_process, and finally executes system commands. The attacker can then exfiltrate environment variables containing database credentials or establish persistence within the cluster.
Detection Methods for CVE-2026-30887
Indicators of Compromise
- Unusual process spawning from the oneuptime-probe container, especially shell processes (/bin/sh, /bin/bash, cmd.exe)
- Synthetic Monitor scripts containing strings like constructor.constructor, process.mainModule, or child_process
- Unexpected network connections from the probe container to external addresses
- Access to environment variables or credential files from within monitor execution contexts
- Anomalous API calls to database services from non-standard sources
Detection Strategies
- Implement code review processes for Synthetic Monitor scripts, flagging dangerous patterns such as prototype chain access or process/require references
- Deploy runtime application self-protection (RASP) to detect sandbox escape attempts in real-time
- Monitor container logs for process execution events that indicate command injection
- Use SentinelOne Singularity to detect anomalous process behavior and command execution patterns within containerized environments
- Establish baseline behavior for the oneuptime-probe container and alert on deviations
Monitoring Recommendations
- Enable detailed audit logging for all Synthetic Monitor creation and modification events
- Configure alerts for any access to process.env or environment variable dumps
- Monitor for outbound connections from probe containers to unexpected destinations
- Implement container-level monitoring to detect file system modifications or new process executions
- Track database access patterns for anomalous queries originating from probe service accounts
How to Mitigate CVE-2026-30887
Immediate Actions Required
- Upgrade OneUptime to version 10.0.18 or later immediately
- Audit all existing Synthetic Monitor scripts for potentially malicious code patterns
- Review project membership and remove unnecessary user access to reduce attack surface
- Rotate database and cluster credentials that may have been exposed in probe container environment variables
- Implement network segmentation to limit probe container access to only required services
Patch Information
The vulnerability is fixed in OneUptime version 10.0.18. Organizations should upgrade to this version or later to remediate the vulnerability. The fix addresses the insecure use of the Node.js vm module by implementing proper isolation for user-supplied code execution. For detailed information about the security patch, refer to the GitHub Security Advisory GHSA-h343-gg57-2q67.
Workarounds
- Disable the Synthetic Monitors feature entirely until the patch can be applied
- Restrict project membership to only highly trusted users who require monitoring capabilities
- Implement network-level controls to prevent the probe container from making outbound connections except to monitored endpoints
- Deploy additional container security controls to restrict process execution and file system access within the probe container
- Consider running the probe in a more isolated environment with minimal permissions and no access to sensitive credentials
# Verify OneUptime version after upgrade
oneuptime --version
# Expected output: 10.0.18 or higher
# Audit Synthetic Monitor scripts for suspicious patterns
grep -r "constructor.constructor\|process.mainModule\|child_process" /path/to/monitors/
# Rotate credentials after potential exposure
kubectl delete secret oneuptime-probe-credentials
kubectl create secret generic oneuptime-probe-credentials --from-literal=db-password=$(openssl rand -base64 32)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
