Twenty CRM Remote Code Execution Vulnerability

A remote code execution vulnerability exists in Twenty CRM versions through 1.15.0, specifically within the local.driver.ts module. This issue allows authenticated users to execute arbitrary Node.js code on the server, bypassing any security measures such as sandboxing or namespace isolation. The vulnerability is exploited through the 'Code - Serverless Function' feature in the workflow automation component, which is available to users who can create workflows.

Impact

Exploitation of this vulnerability leads to unauthorized execution of code on the server, with the potential to access sensitive files, environment variables, and application secrets. This could allow an attacker to manipulate the CRM database, forge authentication tokens, and establish persistence on the server.

Reproduction

To reproduce this vulnerability, log into Twenty CRM and navigate to 'Settings > Workflows'. Create a new workflow with a manual trigger and add the 'Code - Serverless Function' action. Paste a payload that uses the 'child_process' module to execute commands, such as reading the '/etc/passwd' file or dumping environment variables. Save and run the workflow to observe the executed commands and returned data.

Remediation

Users are advised to restrict workflow creation permissions to trusted individuals and treat deployment environment variables as potentially exposed. Twenty CRM should implement proper process isolation, runtime sandboxing, OS-level containment, and secret isolation to address this vulnerability.