FastGPT JavaScript Sandbox Dynamic Import Bypass Vulnerability Leading to Remote Code Execution

A vulnerability exists in the FastGPT AI agent building platform in versions prior to 4.15.0-beta1. The issue arises in the JavaScript sandbox worker, where a regex check intended to block dynamic imports is bypassed. This allows an attacker to use a block comment to evade the regex and execute arbitrary commands by importing the 'child_process' module. The vulnerability is present in the 'codex-sandbox' package.

Impact

Exploitation of this vulnerability allows for arbitrary command execution as the 'sandbox' user inside the sandbox container, bypassing intended security controls. The executed commands can access the network, read environment variables, manipulate the sandbox's filesystem, and observe other tenants' workflow states.

Reproduction

The vulnerability can be reproduced by running the FastGPT sandbox image without a 'SANDBOX_TOKEN', which leaves the '/sandbox/js' endpoint unauthenticated. After confirming that the default regex check blocks standard dynamic imports and 'child_process' requires whitelisting, the import bypass is achieved by inserting a block comment into the import statement. This evades the regex check, allowing the import to be processed and the 'child_process' module to be loaded, with 'execSync' used to execute commands on the server.

Remediation

Users can update to FastGPT version 4.15.0-beta1 or later, where this vulnerability has been fixed.