MEDIUM 6.3

CVE-2026-44287: FastGPT JavaScript Sandbox Bypass and RCE (CVSS 6.3)

FastGPT, an AI Agent building platform, contains a sandbox escape vulnerability in versions before 4.15.0-beta1. The issue stems from an incomplete regex filter designed to block dynamic imports in a JavaScript sandbox environment. An attacker with valid platform access can craft a specially formatted import statement using block comments to bypass the filter, gaining the ability to execute arbitrary system commands within the sandbox container. This allows an authenticated user to break out of the intended sandbox isolation and run code with the permissions of the sandbox process.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-184, CWE-94
Affected products
0 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

FastGPT is an AI Agent building platform. Prior to 4.15.0-beta1, the JavaScript sandbox worker at projects/code-sandbox/src/pool/worker.ts:356 blocks dynamic import() with the regex /\bimport\s*\(/.test(code). JavaScript syntax accepts a block comment between import and (; the regex matches only ASCII whitespace, and the bytes /, *, *, / are not in the \s character class. The payload import/**/("child_process") parses as a syntactically valid dynamic import that the regex does not detect. Because import() is not wrapped by the safeRequire Proxy (which only proxies require), the attacker loads child_process and calls execSync - arbitrary command execution as uid=100(sandbox) inside the sandbox container. This vulnerability is fixed in 4.15.0-beta1.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in the JavaScript sandbox worker (projects/code-sandbox/src/pool/worker.ts:356) which attempts to prevent dynamic import() calls via regex validation. The pattern /\bimport\s*\(/.test(code) matches 'import' followed by ASCII whitespace and an opening parenthesis, but JavaScript syntax permits block comments (/* */) between the import keyword and parenthesis. Since the forward slash and asterisk characters are not part of the \s character class, the payload import/**/("child_process") bypasses the regex while remaining syntactically valid JavaScript. The import() function is not proxied through safeRequire (which only intercepts require calls), allowing direct module loading. An attacker can then invoke child_process.execSync() to execute arbitrary commands as the sandbox process user (uid=100).

Business impact

This vulnerability enables authenticated attackers to escape the sandboxed execution environment and run arbitrary system commands. Organizations using FastGPT to execute user-supplied or untrusted code face potential data exfiltration, lateral movement within infrastructure, denial of service, and compromise of the host system. The risk is amplified if the sandbox container has access to sensitive environment variables, mounted volumes, or network resources. For multi-tenant deployments, a compromised sandbox could be leveraged to access data or resources of other tenants.

Affected systems

FastGPT versions prior to 4.15.0-beta1 are affected. The vulnerability is present in the JavaScript sandbox worker component, which is core to the platform's ability to safely execute AI agent code. Only users running FastGPT in environments where untrusted or user-supplied code execution is a concern should prioritize this fix, though any deployment accepting external code inputs is at risk.

Exploitability

Exploitation requires valid authentication to the FastGPT platform (PR:L per CVSS vector) and the ability to define or execute code within an agent workflow. No user interaction is needed once code execution is triggered. The attack is straightforward to execute—crafting the malicious import statement requires only basic JavaScript knowledge. The low barrier to exploitation combined with direct authentication access makes this a practical concern for organizations with multiple users or integration scenarios.

Remediation

Upgrade FastGPT to version 4.15.0-beta1 or later. This release fixes the regex to properly detect and block dynamic imports regardless of embedded comments. Organizations should coordinate upgrades during maintenance windows to avoid disrupting active AI agent workflows. Verify the upgrade in a test environment before production deployment.

Patch guidance

Apply version 4.15.0-beta1 or a subsequent stable release when available. Review the official FastGPT release notes and security advisories to confirm the patch addresses this specific bypass. If using a deployment mechanism (Docker, Kubernetes, package manager), pull the updated version and restart the service. Test sandbox isolation post-upgrade by attempting the known bypass payload to confirm the regex fix is in place.

Detection guidance

Monitor sandbox process logs for unexpected child_process module loads or execSync() calls originating from user-supplied code. Examine code submissions to agents for import statements containing block comments or other comment syntax between 'import' and '('. Network monitoring can detect unusual outbound connections from sandbox containers. If feasible, review audit logs for authentication events paired with subsequent code execution anomalies. Security teams should also look for file system access patterns inconsistent with the intended sandbox use case.

Why prioritize this

While the CVSS score is moderate (6.3), the vulnerability directly enables sandbox escape and arbitrary code execution, which are high-impact outcomes. The requirement for authentication reduces the attack surface compared to unauthenticated exploits, but organizations with multiple users, external integrations, or untrusted agent definitions should treat this as a near-term priority. The fix is available and straightforward to deploy, making remediation feasible without excessive operational burden.

Risk score, explained

The CVSS 3.1 score of 6.3 reflects a Medium severity due to the authentication requirement (PR:L) and single-party impact scope (S:U), but accounts for low attack complexity (AC:L), network accessibility (AV:N), and direct impacts to confidentiality, integrity, and availability (C:L/I:L/A:L). In practice, the true organizational risk may be higher if the FastGPT deployment accepts code from numerous users or untrusted sources, as the exploit is trivial to execute once authenticated. Conversely, risk is lower in isolated, single-user, or highly controlled deployments.

Frequently asked questions

Can this vulnerability be exploited without authentication?

No. The vulnerability requires valid credentials and the ability to define or execute code within a FastGPT agent workflow. This limits exploitation to authenticated users or scenarios where an attacker has gained initial platform access.

What happens if an attacker executes the bypass payload?

The attacker gains the ability to run arbitrary system commands with the privileges of the sandbox process (uid=100). Depending on container configuration, this could enable data exfiltration, lateral movement, or interference with other sandbox operations. The impact severity depends on what resources and network access the container possesses.

Should I wait for a stable release or can I deploy the beta patch?

Verify with your organization's release management policy. Version 4.15.0-beta1 is a beta release and may not be suitable for production without additional testing. Monitor the FastGPT project for a stable 4.15.0 or later release, but don't delay testing the beta in a non-production environment to understand the fix and plan your upgrade timeline.

Are there workarounds if I cannot upgrade immediately?

Short-term mitigations include restricting who can author or upload FastGPT agents to trusted internal teams, disabling the execution of agents from external sources, and monitoring sandbox logs for suspicious import patterns. However, these are not substitutes for the patch—upgrade as soon as feasible.

This analysis is based on the published CVE description and CVSS assessment. No exploit code or active proof-of-concept is provided. Organizations should verify all patch version numbers, deployment procedures, and compatibility with their environment against the official FastGPT security advisories and release notes. The vulnerability requires valid authentication; assess your user base and code execution policies to determine organizational risk. This information is for educational and defensive purposes only. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).