QnABot on AWS Arbitrary Code Execution Vulnerability via Sandbox Bypass

A vulnerability allowing arbitrary code execution has been identified in QnABot on AWS, specifically in versions through 7.2.4. This issue arises from improper use of the static-eval npm package, which may enable an authenticated administrator to execute arbitrary code within the fulfillment Lambda execution context. The vulnerability can be exploited by injecting a crafted conditional chaining expression through the Content Designer interface, manipulating the JavaScript prototype to bypass the intended expression sandbox. Successful exploitation could provide access to backend resources such as Lambda environment variables, OpenSearch indices, S3 objects, and DynamoDB tables, which are not typically available through standard administrative interfaces.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of code in the Lambda execution environment, with potential access to sensitive backend resources not normally accessible through administrative channels.

Remediation

Users are advised to upgrade to QnABot on AWS version 7.3.0 or later, and to ensure that any forked or derivative code is also updated. Version 7.3.0 removes the static-eval dependency and replaces it with a custom expression evaluator. Instructions for downloading the latest version are available on the QnABot GitHub releases page.