CVE-2026-44287
Command Injection in FastGPT JavaScript Sandbox
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fastgpt | fastgpt | to 4.15.0-beta1 (inc) |
| labring | fastgpt | 4.15.0-beta1 |
| labring | code-sandbox | to 4.15.0-beta1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-184 | The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-44287 is a vulnerability in the FastGPT AI Agent building platform's JavaScript sandbox worker. The sandbox tries to block dynamic import() calls using a regex that fails to detect import statements containing block comments, such as import/**/("child_process"). This allows an attacker to bypass the restriction and dynamically import the child_process module.
Because the dynamic import is not wrapped by the safeRequire Proxy, which only proxies require calls, the attacker can execute arbitrary commands inside the sandbox container as the sandbox user (uid=100). This leads to sandbox escape and remote code execution.
How can this vulnerability impact me? :
This vulnerability allows an attacker to execute arbitrary commands inside the sandbox container, effectively escaping the sandbox environment. The impact depends on the deployment:
- Standalone sandbox images without authentication are fully exposed, resulting in a critical risk (CVSS 9.4).
- Production deployments that require a SANDBOX_TOKEN or authenticated FastGPT flow-author role have a high risk (CVSS 7.7), as attackers need token access or authentication to exploit.
Successful exploitation can lead to remote code execution, potentially compromising the host system or container, leading to data breaches, service disruption, or further attacks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a bypass of a regex check in the JavaScript sandbox worker that attempts to block dynamic import() calls. Detection involves identifying attempts to use dynamic import() with block comments to bypass the regex, such as import/**/("child_process").
To detect exploitation attempts on your system or network, you can monitor logs or sandbox activity for suspicious dynamic import() patterns that include block comments or unusual whitespace.
Specific commands are not provided in the resources, but general approaches include:
- Searching sandbox logs or source code for occurrences of dynamic import() calls with block comments, e.g., using grep or similar tools.
- Monitoring process execution inside the sandbox container for unexpected child_process module usage or execSync calls.
- Using network monitoring tools to detect unusual command execution or outbound connections initiated from the sandbox environment.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading FastGPT to version 4.15.0-beta1 or later, where the vulnerability is fixed by replacing the regex with an AST-based parser to properly detect and block all dynamic import() calls.
Additionally, enforce the use of the SANDBOX_TOKEN environment variable in all non-development environments to require authentication and reduce exposure.
For deployments, especially standalone sandbox images without authentication, consider restricting access or disabling the vulnerable sandbox component until patched.