CVE-2025-49131
Analyzed Analyzed - Analysis Complete
BaseFortify

Publication date: 2025-06-09

Last updated on: 2025-12-29

Assigner: GitHub, Inc.

Description
FastGPT is an open-source project that provides a platform for building, deploying, and operating AI-driven workflows and conversational agents. The Sandbox container (fastgpt-sandbox) is a specialized, isolated environment used by FastGPT to safely execute user-submitted or dynamically generated code in isolation. The sandbox before version 4.9.11 has insufficient isolation and inadequate restrictions on code execution by allowing overly permissive syscalls, which allows attackers to escape the intended sandbox boundaries. Attackers could exploit this to read and overwrite arbitrary files and bypass Python module import restrictions. This is patched in version 4.9.11 by restricting the allowed system calls to a safer subset and additional descriptive error messaging.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-09
Last Modified
2025-12-29
Generated
2026-05-07
AI Q&A
2025-06-09
EPSS Evaluated
2026-05-05
NVD
CVE-2025-49131
EUVD
EUVD-2025-17467
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fastgpt fastgpt to 4.9.11 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-732 The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability affects the FastGPT project's Python sandbox environment used to safely execute user-submitted or dynamically generated code. Before version 4.9.11, the sandbox had insufficient isolation and overly permissive system call restrictions, allowing attackers to escape the sandbox boundaries. Specifically, attackers could read and overwrite arbitrary files on the host system and bypass Python module import restrictions by exploiting allowed syscalls and dynamic import methods. This could lead to unauthorized access and modification of files and execution of restricted code. [2]


How can this vulnerability impact me? :

An attacker with low privileges and no user interaction can exploit this vulnerability to read sensitive files (like /etc/passwd), overwrite arbitrary files with root privileges potentially causing denial of service, and bypass module import restrictions to execute unauthorized code. This can lead to system compromise, data leakage, and service disruption. [2]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking the version of the FastGPT sandbox container in use. Versions prior to 4.9.11 are vulnerable. You can verify the version of the FastGPT sandbox container by running commands such as `docker images | grep fastgpt-sandbox` or checking the version tag in your deployment configuration. Additionally, monitoring for unusual file read/write operations or unexpected Python module imports in the sandbox environment may indicate exploitation attempts. Specific commands to detect exploitation attempts are not provided in the resources. [2, 3]


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade the FastGPT sandbox container to version 4.9.11 or later, which includes a patch restricting allowed system calls to a safer subset and improves sandbox security. According to the release notes, you should back up your data, then update the FastGPT and FastGPT commercial version Docker image tags to v4.9.11, and update the Sandbox image tag to v4.9.11. No updates are required for mcp_server and AIProxy. This upgrade addresses the insufficient isolation and syscall restrictions that allow sandbox escape. [2, 3]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart