Description
FastGPT is an AI Agent building platform. Prior to 4.15.0-beta1, the JavaScript sandbox worker at projects/code-sandbox/src/pool/worker.ts:356 blocks dynamic import() with the regex /\bimport\s*\(/.test(code). JavaScript syntax accepts a block comment between import and (; the regex matches only ASCII whitespace, and the bytes /, *, *, / are not in the \s character class. The payload import/**/("child_process") parses as a syntactically valid dynamic import that the regex does not detect. Because import() is not wrapped by the safeRequire Proxy (which only proxies require), the attacker loads child_process and calls execSync - arbitrary command execution as uid=100(sandbox) inside the sandbox container. This vulnerability is fixed in 4.15.0-beta1.
Published: 2026-05-29
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FastGPT’s JavaScript sandbox worker contains a regex that blocks dynamic import statements using only ASCII whitespace. The regex fails to recognize a syntactically valid import statement that interleaves a block comment, allowing an attacker to load the child_process module and execute arbitrary shell commands as uid=100 inside the sandbox container. This results in remote code execution.

Affected Systems

The vulnerability applies to the FastGPT platform from labring, affecting all releases prior to 4.15.0-beta1. Users running the sandbox component in these versions are exposed.

Risk and Exploitability

With a CVSS score of 6.3 the risk is moderate, and no EPSS data is currently available. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is the injection of crafted JavaScript code into the code-sandbox where the import statement is parsed. Successful exploitation would allow an attacker to run arbitrary commands inside the sandbox container.

Generated by OpenCVE AI on May 29, 2026 at 21:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FastGPT to version 4.15.0-beta1 or later, which includes a fixed regex that correctly detects dynamic import statements.
  • If an upgrade is not immediately possible, restrict or disable use of the child_process module within the sandbox environment to prevent execution of external commands.
  • Apply general sandbox hardening practices, such as validating code inputs, limiting execution privileges, and monitoring for unexpected shell invocations.

Generated by OpenCVE AI on May 29, 2026 at 21:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Labring
Labring fastgpt
Vendors & Products Labring
Labring fastgpt

Fri, 29 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description FastGPT is an AI Agent building platform. Prior to 4.15.0-beta1, the JavaScript sandbox worker at projects/code-sandbox/src/pool/worker.ts:356 blocks dynamic import() with the regex /\bimport\s*\(/.test(code). JavaScript syntax accepts a block comment between import and (; the regex matches only ASCII whitespace, and the bytes /, *, *, / are not in the \s character class. The payload import/**/("child_process") parses as a syntactically valid dynamic import that the regex does not detect. Because import() is not wrapped by the safeRequire Proxy (which only proxies require), the attacker loads child_process and calls execSync - arbitrary command execution as uid=100(sandbox) inside the sandbox container. This vulnerability is fixed in 4.15.0-beta1.
Title FastGPT: sandbox escape to RCE - code-sandbox regex /\bimport\s*\(/ is bypassable
Weaknesses CWE-184
CWE-94
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Labring Fastgpt
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-29T19:33:53.500Z

Reserved: 2026-05-05T17:39:31.112Z

Link: CVE-2026-44287

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-29T20:16:24.243

Modified: 2026-05-29T20:23:16.083

Link: CVE-2026-44287

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T21:30:06Z

Weaknesses