CVE-2026-42343
Received Received - Intake
Denial of Service in FastGPT via Resource Exhaustion

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
FastGPT is an AI Agent building platform. In versions 4.14.13 and prior, the code-sandbox component suffers from insufficient resource isolation and uncontrolled resource consumption. The service relies solely on an application-level soft limit (a 500ms polling interval) for memory management and lacks strict OS-level constraints such as cgroups or kernel-level namespaces. This architectural weakness allows attackers to easily bypass memory checks via time-window attacks, or exhaust the entire JavaScript worker pool via concurrent CPU-intensive requests, resulting in a complete Denial of Service (DoS) for legitimate users. At time of publication, there are no publicly available patches.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-05-09
AI Q&A
2026-05-09
EPSS Evaluated
N/A
NVD
CVE-2026-42343
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fastgpt code-sandbox to 4.14.13 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability affects the FastGPT AI Agent building platform, specifically its code-sandbox component in versions 4.14.13 and earlier. The issue arises because the platform relies only on an application-level soft limit (a 500ms polling interval) for managing memory, without enforcing strict operating system-level constraints like cgroups or kernel namespaces. This lack of proper resource isolation allows attackers to bypass memory checks using time-window attacks or to overwhelm the JavaScript worker pool by sending many CPU-intensive requests concurrently.

As a result, attackers can cause a complete Denial of Service (DoS) for legitimate users by exhausting system resources.


How can this vulnerability impact me? :

The primary impact of this vulnerability is a Denial of Service (DoS) condition. Attackers can exploit the insufficient resource isolation to consume excessive memory and CPU resources, which can crash or severely degrade the performance of the FastGPT platform.

This means legitimate users may be unable to use the service effectively or at all during an attack, leading to service disruption and potential loss of availability.


What immediate steps should I take to mitigate this vulnerability?

At the time of publication, there are no publicly available patches for this vulnerability.

The vulnerability arises from insufficient resource isolation and uncontrolled resource consumption in the FastGPT code-sandbox component, which relies only on an application-level soft limit for memory management and lacks strict OS-level constraints.

Immediate mitigation steps should focus on implementing stricter resource controls at the OS level, such as using cgroups or kernel-level namespaces to limit memory and CPU usage of the code-sandbox component.

Additionally, monitoring and limiting concurrent CPU-intensive requests to prevent exhaustion of the JavaScript worker pool can help reduce the risk of Denial of Service.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart