node:vm Is Not a Sandbox. Stop Using It Like One.

node:vm Is Not a Sandbox. Stop Using It Like One. A critical CVE dropped this week on OneUptime, an open-source observability platform that's widely deployed with open registration on by default. The escape was this.constructor.constructor('return process')() . One line. The same line that's been in public writeups since 2017. The same line that's burned vm2 twenty-plus times. The same module that Node.js documentation warns you about at the top of the page, in a callout block, before you read anything else. And yet here we are. What Happened OneUptime lets you write Custom JavaScript monitors, scripts that probe your infrastructure on a schedule. Those scripts run inside vm.runInContext() in a file called VMRunner.ts . Input validation is a Zod string check. That's it. No AST parsing, no keyword filtering, no attempt to inspect what you're actually running. The probe that executes these monitors runs with network_mode: host and has ONEUPTIME_SECRET , DATABASE_PASSWORD , REDIS_PASSWORD