CVE-2026-44287
Deferred Deferred - Pending Action
Command Injection in FastGPT JavaScript Sandbox

Publication date: 2026-05-29

Last updated on: 2026-06-01

Assigner: GitHub, Inc.

Description
FastGPT is an AI Agent building platform. Prior to 4.15.0-beta1, the JavaScript sandbox worker at projects/code-sandbox/src/pool/worker.ts:356 blocks dynamic import() with the regex /\bimport\s*\(/.test(code). JavaScript syntax accepts a block comment between import and (; the regex matches only ASCII whitespace, and the bytes /, *, *, / are not in the \s character class. The payload import/**/("child_process") parses as a syntactically valid dynamic import that the regex does not detect. Because import() is not wrapped by the safeRequire Proxy (which only proxies require), the attacker loads child_process and calls execSync - arbitrary command execution as uid=100(sandbox) inside the sandbox container. This vulnerability is fixed in 4.15.0-beta1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-06-01
Generated
2026-06-19
AI Q&A
2026-05-30
EPSS Evaluated
2026-06-18
NVD
CVE-2026-44287
EUVD
EUVD-2026-33431
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
fastgpt fastgpt to 4.15.0-beta1 (inc)
labring fastgpt 4.15.0-beta1
labring code-sandbox to 4.15.0-beta1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-184 The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-44287 is a vulnerability in the FastGPT AI Agent building platform's JavaScript sandbox worker. The sandbox tries to block dynamic import() calls using a regex that fails to detect import statements containing block comments, such as import/**/("child_process"). This allows an attacker to bypass the restriction and dynamically import the child_process module.

Because the dynamic import is not wrapped by the safeRequire Proxy, which only proxies require calls, the attacker can execute arbitrary commands inside the sandbox container as the sandbox user (uid=100). This leads to sandbox escape and remote code execution.

Impact Analysis

This vulnerability allows an attacker to execute arbitrary commands inside the sandbox container, effectively escaping the sandbox environment. The impact depends on the deployment:

  • Standalone sandbox images without authentication are fully exposed, resulting in a critical risk (CVSS 9.4).
  • Production deployments that require a SANDBOX_TOKEN or authenticated FastGPT flow-author role have a high risk (CVSS 7.7), as attackers need token access or authentication to exploit.

Successful exploitation can lead to remote code execution, potentially compromising the host system or container, leading to data breaches, service disruption, or further attacks.

Detection Guidance

This vulnerability involves a bypass of a regex check in the JavaScript sandbox worker that attempts to block dynamic import() calls. Detection involves identifying attempts to use dynamic import() with block comments to bypass the regex, such as import/**/("child_process").

To detect exploitation attempts on your system or network, you can monitor logs or sandbox activity for suspicious dynamic import() patterns that include block comments or unusual whitespace.

Specific commands are not provided in the resources, but general approaches include:

  • Searching sandbox logs or source code for occurrences of dynamic import() calls with block comments, e.g., using grep or similar tools.
  • Monitoring process execution inside the sandbox container for unexpected child_process module usage or execSync calls.
  • Using network monitoring tools to detect unusual command execution or outbound connections initiated from the sandbox environment.
Mitigation Strategies

Immediate mitigation steps include upgrading FastGPT to version 4.15.0-beta1 or later, where the vulnerability is fixed by replacing the regex with an AST-based parser to properly detect and block all dynamic import() calls.

Additionally, enforce the use of the SANDBOX_TOKEN environment variable in all non-development environments to require authentication and reduce exposure.

For deployments, especially standalone sandbox images without authentication, consider restricting access or disabling the vulnerable sandbox component until patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44287. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart