NocoBase Workflow Script Node Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in NocoBase's Workflow Script Node, prior to version 2.0.28. The issue arises because the Workflow Script Node executes user-supplied JavaScript within a Node.js virtual machine sandbox. This sandboxing includes a custom 'require' allowlist, controlled by the 'WORKFLOW_SCRIPT_MODULES' environment variable. However, the 'console' object provided to the sandbox context inadvertently exposes host-realm WritableWorkerStdio stream objects through 'console._stdout' and 'console._stderr'. An authenticated attacker can exploit this by traversing the prototype chain to escape the sandbox, leading to remote code execution as the root user.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary code on the server as the root user, within a Docker container. This could lead to theft of database credentials and unauthorized file access, as well as the establishment of a reverse shell.

Reproduction

To reproduce this vulnerability, an authenticated user can send a POST request to the '/api/flow_nodes:test' endpoint. The request must include a JavaScript payload that exploits the console object to escape the VM sandbox and execute arbitrary commands. The response will confirm the execution of the command, demonstrating the successful exploitation of the vulnerability.

Remediation

Users can upgrade to NocoBase version 2.0.28 or later, where this vulnerability has been patched. Additionally, it is recommended to run the application as a non-root user inside Docker and restrict access to the '/api/flow_nodes:test' endpoint to admin-only roles.