CVE-2026-42343 Overview
CVE-2026-42343 affects FastGPT, an AI Agent building platform developed by labring. Versions 4.14.13 and prior contain a resource exhaustion flaw [CWE-400] in the code-sandbox component. The sandbox relies on an application-level soft limit using a 500ms polling interval for memory management. It lacks operating system enforced constraints such as cgroups or kernel namespaces. Attackers can bypass memory checks through time-window attacks or saturate the JavaScript worker pool with concurrent CPU-intensive requests. Successful exploitation denies service to legitimate users. No vendor patch is available at the time of publication.
Critical Impact
Unauthenticated network attackers can exhaust the FastGPT code-sandbox worker pool, causing complete denial of service for all users of the platform.
Affected Products
- FastGPT versions 4.14.13 and earlier
- The code-sandbox component of FastGPT
- Deployments exposing FastGPT code execution endpoints to untrusted clients
Discovery Timeline
- 2026-05-08 - CVE-2026-42343 published to the National Vulnerability Database
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-42343
Vulnerability Analysis
The FastGPT code-sandbox executes user-supplied JavaScript inside worker processes. The component enforces memory limits only at the application layer by polling worker memory consumption every 500 milliseconds. No cgroup, namespace, ulimit, or container-level resource boundary backs this soft limit. The design assumes user code behaves cooperatively between polling intervals.
This assumption breaks under two attack patterns. First, malicious code can allocate large memory regions and release them before the next poll, evading detection while still pressuring the host. Second, attackers can submit many concurrent CPU-bound payloads. The worker pool is finite, and each long-running task occupies one slot until completion.
The vulnerability is classified under [CWE-400] Uncontrolled Resource Consumption. It does not yield code execution outside the sandbox, but it removes availability for legitimate users of the FastGPT instance.
Root Cause
The root cause is missing operating system level isolation for sandboxed workloads. Application-level polling cannot enforce hard limits because user code runs continuously between checks. The architecture also lacks per-request CPU time budgets and worker pool admission control, allowing a single client to consume all available execution capacity.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker submits crafted code execution requests to the FastGPT API. For the memory bypass, the payload allocates and frees buffers within each 500ms window. For the worker exhaustion path, the attacker issues concurrent requests containing tight CPU loops. Either approach scales linearly with request volume and leads to a denial of service condition.
Detection Methods for CVE-2026-42343
Indicators of Compromise
- Sustained high CPU utilization on FastGPT worker processes with no corresponding legitimate workload increase
- Repeated code execution requests from a single source containing tight loops, large allocations, or recursive patterns
- API timeouts or queue backlogs in the code-sandbox service while the host remains otherwise responsive
- Memory usage spikes that disappear before the 500ms polling interval reports them
Detection Strategies
- Inspect code-sandbox request payloads for patterns consistent with allocation churn or CPU saturation loops
- Correlate per-client request rates against worker pool occupancy to identify single-source exhaustion
- Alert when worker pool utilization exceeds a defined threshold for sustained periods
- Log and review request bodies submitted to FastGPT code execution endpoints
Monitoring Recommendations
- Monitor process-level CPU and resident memory for FastGPT worker containers at sub-second resolution
- Track the ratio of completed to queued sandbox jobs and alert on growing backlogs
- Capture network telemetry for requests targeting FastGPT code execution APIs and baseline normal volume
How to Mitigate CVE-2026-42343
Immediate Actions Required
- Restrict network access to FastGPT instances so only authenticated, trusted users can reach the code-sandbox endpoints
- Place a reverse proxy in front of FastGPT and enforce per-client rate limits and request size caps
- Run FastGPT workers inside containers with cgroup memory and CPU limits configured at the runtime layer
- Reduce worker pool exposure by lowering maximum concurrent sandbox jobs per tenant
Patch Information
At the time of publication, no official patch is available. Review the GitHub Security Advisory GHSA-qv7v-r94x-6x3x for vendor updates and apply fixes as soon as labring publishes them.
Workarounds
- Enforce hard CPU and memory limits on FastGPT containers using Docker --cpus and --memory flags or Kubernetes resource limits
- Disable or gate the code execution feature for unauthenticated and low-trust user populations
- Deploy a web application firewall rule to throttle requests to sandbox endpoints by source identifier
- Isolate each FastGPT tenant in its own worker pool to prevent cross-tenant exhaustion
# Configuration example: enforce OS-level limits on FastGPT containers
docker run -d \
--name fastgpt \
--cpus="2.0" \
--memory="2g" \
--memory-swap="2g" \
--pids-limit=256 \
--restart=unless-stopped \
labring/fastgpt:latest
# Kubernetes equivalent
# resources:
# limits:
# cpu: "2"
# memory: "2Gi"
# requests:
# cpu: "500m"
# memory: "512Mi"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
