CVE-2026-42343
Received Received - Intake
Denial of Service in FastGPT via Resource Exhaustion

Publication date: 2026-05-08

Last updated on: 2026-05-12

Assigner: GitHub, Inc.

Description
FastGPT is an AI Agent building platform. In versions 4.14.13 and prior, the code-sandbox component suffers from insufficient resource isolation and uncontrolled resource consumption. The service relies solely on an application-level soft limit (a 500ms polling interval) for memory management and lacks strict OS-level constraints such as cgroups or kernel-level namespaces. This architectural weakness allows attackers to easily bypass memory checks via time-window attacks, or exhaust the entire JavaScript worker pool via concurrent CPU-intensive requests, resulting in a complete Denial of Service (DoS) for legitimate users. At time of publication, there are no publicly available patches.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-12
Generated
2026-06-19
AI Q&A
2026-05-09
EPSS Evaluated
2026-06-18
NVD
CVE-2026-42343
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fastgpt code-sandbox to 4.14.13 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in FastGPT's code-sandbox component leads to a Denial of Service (DoS) condition by allowing attackers to exhaust system resources. While this impacts availability, the provided information does not specify any direct effects on data confidentiality, integrity, or privacy controls that are typically required for compliance with standards like GDPR or HIPAA.

Therefore, based on the available data, there is no explicit indication that this vulnerability directly compromises compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability affects the FastGPT AI Agent building platform, specifically its code-sandbox component in versions 4.14.13 and earlier. The issue arises because the platform relies only on an application-level soft limit (a 500ms polling interval) for managing memory, without enforcing strict operating system-level constraints like cgroups or kernel namespaces. This lack of proper resource isolation allows attackers to bypass memory checks using time-window attacks or to overwhelm the JavaScript worker pool by sending many CPU-intensive requests concurrently.

As a result, attackers can cause a complete Denial of Service (DoS) for legitimate users by exhausting system resources.

Impact Analysis

The primary impact of this vulnerability is a Denial of Service (DoS) condition. Attackers can exploit the insufficient resource isolation to consume excessive memory and CPU resources, which can crash or severely degrade the performance of the FastGPT platform.

This means legitimate users may be unable to use the service effectively or at all during an attack, leading to service disruption and potential loss of availability.

Mitigation Strategies

At the time of publication, there are no publicly available patches for this vulnerability.

The vulnerability arises from insufficient resource isolation and uncontrolled resource consumption in the FastGPT code-sandbox component, which relies only on an application-level soft limit for memory management and lacks strict OS-level constraints.

Immediate mitigation steps should focus on implementing stricter resource controls at the OS level, such as using cgroups or kernel-level namespaces to limit memory and CPU usage of the code-sandbox component.

Additionally, monitoring and limiting concurrent CPU-intensive requests to prevent exhaustion of the JavaScript worker pool can help reduce the risk of Denial of Service.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42343. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart