FastGPT: sandbox escape to RCE - code-sandbox regex /\bimport\s*\(/ is bypassable
FastGPT is an AI Agent building platform. Prior to 4.15.0-beta1, the JavaScript sandbox worker at projects/code-sandbox/src/pool/worker.ts:356 blocks dynamic import() with the regex /\bimport\s*\(/.test(code). JavaScript syntax accepts a block comment between import and (; the regex matches only ASCII whitespace, and the bytes /, *, *, / are not in the \s character class. The payload import/**/("child_process") parses as a syntactically valid dynamic import that the regex does not detect. Because import() is not wrapped by the safeRequire Proxy (which only proxies require), the attacker loads child_process and calls execSync - arbitrary command execution as uid=100(sandbox) inside the sandbox container. This vulnerability is fixed in 4.15.0-beta1.
Problem Types
| Type | CWE ID | Description |
|---|
| CWE | CWE-94 | CWE-94: Improper Control of Generation of Code ('Code Injection') |
| CWE | CWE-184 | CWE-184: Incomplete List of Disallowed Inputs |
Type: CWE
Description: CWE-94: Improper Control of Generation of Code ('Code Injection')
Type: CWE
Description: CWE-184: Incomplete List of Disallowed Inputs
Metrics
| Version | Base score | Base severity | Vector |
|---|
| 3.1 | 6.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
Version: 3.1
Base score: 6.3
Base severity: MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L