FastGPT Arbitrary Code Execution and Secret Exfiltration Vulnerability in GitHub Actions

A vulnerability allowing arbitrary code execution and secret exfiltration has been identified in the FastGPT AI agent building platform, specifically in versions through 4.14.8.3. The issue arises within the GitHub Actions workflow file 'fastgpt-preview-image.yml', which is triggered by pull requests. This workflow runs with access to repository secrets but checks out code from the contributor's fork, allowing for the execution of malicious Dockerfiles. As a result, an attacker could exfiltrate sensitive information or introduce backdoors via the Docker images pushed to the production container registry.

Impact

Exploitation of this vulnerability could lead to unauthorized code execution within the GitHub Actions environment, allowing attackers to manipulate Docker images and potentially compromise downstream deployments. Additionally, exposed secrets such as Aliyun Container Registry credentials could be used to overwrite production images or push malicious ones, further escalating the attack.

Reproduction

To reproduce this vulnerability, an external contributor can open a pull request that includes a Dockerfile in the 'projects/app' directory of their forked FastGPT repository. The pull request will trigger the vulnerable workflow, which will execute the code in the Dockerfile with access to repository secrets. This can be used to exfiltrate secrets or execute arbitrary code by, for example, sending the secrets to an external server or including a backdoor in the Docker image.

Remediation

Users are advised to rotate all exposed secrets, audit their Aliyun registry for any unexpected image pushes or tag overwrites, and scope registry credentials to a dedicated service account with limited permissions. Additionally, the workflow can be modified to use 'pull_request' instead of 'pull_request_target', require maintainer approval before running, or be split into two separate workflows.