VYPR
← All advisories
Medium severity6.3NVD Advisory· Published May 29, 2026· Updated May 29, 2026

CVE-2026-44287

CVE-2026-44287

Description

FastGPT is an AI Agent building platform. Prior to 4.15.0-beta1, the JavaScript sandbox worker at projects/code-sandbox/src/pool/worker.ts:356 blocks dynamic import() with the regex /\bimport\s*\(/.test(code). JavaScript syntax accepts a block comment between import and (; the regex matches only ASCII whitespace, and the bytes /, *, *, / are not in the \s character class. The payload import/**/("child_process") parses as a syntactically valid dynamic import that the regex does not detect. Because import() is not wrapped by the safeRequire Proxy (which only proxies require), the attacker loads child_process and calls execSync - arbitrary command execution as uid=100(sandbox) inside the sandbox container. This vulnerability is fixed in 4.15.0-beta1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A sandbox escape in FastGPT prior to 4.15.0-beta1 allows attackers to bypass a regex-based dynamic import block and execute arbitrary commands via import/**/("child_process").

Vulnerability

The FastGPT code-sandbox worker at projects/code-sandbox/src/pool/worker.ts:356 uses a regex /\bimport\s*\(/ to block dynamic import() calls and prevent sandbox escape. However, JavaScript allows block comments (/*...*/) between import and (; the regex only matches ASCII whitespace (\s), and the comment characters * and / are not in that class. An attacker can supply code like import/**/("child_process"), which parses as a valid dynamic import but bypasses the filter. Affected versions: all prior to 4.15.0-beta1 [1].

Exploitation

The attacker must have the ability to submit JavaScript code to the sandbox worker — this requires either a valid SANDBOX_TOKEN (as configured in default docker-compose deployments) or a flow-author role on the FastGPT backend that forwards code to the sandbox [1]. The payload import/**/("child_process") is submitted; because import() is not proxied by the safeRequire mechanism (which only wraps require), the sandbox loads child_process and calls execSync, leading to command execution [1].

Impact

Successful exploitation yields arbitrary command execution as uid=100(sandbox) inside the sandbox container. The attacker can achieve full confidentialty and integrity compromise (file read/write) and limited availability impact (C:H/I:H/A:L per CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L) [1]. In standalone sandbox images exposed without authentication, no prior privilege is needed for a network attacker [1].

Mitigation

The vulnerability is fixed in version 4.15.0-beta1 [1]. Users should upgrade to this or any later release. There is no known workaround; the heuristic regex was acknowledged by the vendor as inherently limited [1]. The CVE is not listed on CISA's Known Exploited Vulnerabilities catalog as of the publication date.

References
  1. sandbox escape to RCE - code-sandbox regex /\bimport\s*\(/ is bypassable

AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Labring/Fastgptinferred2 versions
    <4.15.0-beta1+ 1 more
    • (no CPE)range: <4.15.0-beta1
    • (no CPE)range: <4.15.0-beta1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The regex `/import\s*\(/` used to block dynamic `import()` calls does not match block comments (`/*...*/`) between `import` and `(`, allowing an attacker to bypass the sandbox's JavaScript isolation."

Attack vector

An attacker sends a POST request to `/sandbox/js` with JavaScript code that uses `import/**/("child_process")` instead of a plain `import(`. The regex `/import\s*\(/` matches only ASCII whitespace between `import` and `(`, but a block comment (`/*...*/`) is valid JavaScript whitespace and its bytes are not in the `\s` character class, so the regex does not detect the dynamic import. Because `import()` is not wrapped by the `safeRequire` Proxy (which only proxies `require`), the attacker loads the full `child_process` module and calls `execSync` to execute arbitrary commands as `uid=100(sandbox)` inside the container [ref_id=1].

Affected code

The vulnerable code is in `projects/code-sandbox/src/pool/worker.ts` at line 356, where a regex `/import\s*\(/` is used to block dynamic `import()` calls. The `safeRequire` Proxy (lines 271-277) only wraps `require`, not `import()`. The HTTP entrypoint at `projects/code-sandbox/src/index.ts:107` (`/sandbox/js`) accepts the attacker's code and forwards it to the sandbox pool.

What the fix does

The advisory recommends replacing the regex with an AST parse using `acorn` or `@babel/parser` to reject any `ImportExpression` node, which would catch all syntactic forms of dynamic import regardless of whitespace or comments. It also suggests wrapping `globalThis.import` with the same allow-list that `safeRequire` enforces, so `import()` and `require()` are subject to identical module policy. The vendor's own code comment acknowledged the regex was a "simple heuristic," confirming the need for a more robust fix [ref_id=1].

Preconditions

  • authThe attacker must be able to send code to the `/sandbox/js` endpoint. In production deployments following FastGPT's shipped docker-compose, this requires either the SANDBOX_TOKEN or an authenticated FastGPT flow-author role. In standalone deployments without SANDBOX_TOKEN, the endpoint is unauthenticated.
  • networkThe sandbox container must be reachable over the network from the attacker's machine.
  • inputThe submitted code must contain the bypass payload `import/**/("child_process")` (or similar) to evade the regex.

Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.