CVE-2026-44287 Overview
FastGPT is an open source AI Agent building platform developed by labring. A sandbox escape vulnerability affects the JavaScript code execution sandbox in versions prior to 4.15.0-beta1. The sandbox worker located at projects/code-sandbox/src/pool/worker.ts:356 uses a regular expression to block dynamic import() calls. Attackers bypass the filter by inserting a block comment between the import keyword and the parenthesis. The bypass loads Node.js child_process and invokes execSync, achieving arbitrary command execution as uid=100(sandbox) inside the sandbox container. The vendor assigned CWE-94: Improper Control of Generation of Code to this issue.
Critical Impact
Authenticated attackers execute arbitrary operating system commands inside the FastGPT code sandbox container by submitting crafted JavaScript that evades the dynamic import filter.
Affected Products
- FastGPT versions prior to 4.15.0-beta1
- FastGPT code-sandbox worker component
- Deployments exposing the JavaScript sandbox execution feature to authenticated users
Discovery Timeline
- 2026-05-29 - CVE-2026-44287 published to NVD
- 2026-06-01 - Last updated in NVD database
Technical Details for CVE-2026-44287
Vulnerability Analysis
The FastGPT code sandbox executes untrusted JavaScript inside a Node.js worker. To prevent dynamic module loading, the worker performs a string-level check against submitted code using the regex /\bimport\s*\(/. The check rejects code that contains import( with optional ASCII whitespace between the keyword and the opening parenthesis.
JavaScript syntax permits block comments at the same lexical position as whitespace. The bytes /, *, *, / are not members of the \s character class. A payload such as import/**/("child_process") parses as a valid dynamic import expression while evading the regex filter.
The sandbox additionally relies on a safeRequire Proxy to mediate access to Node.js built-in modules through require. The Proxy does not wrap dynamic import(). Once the regex is bypassed, the attacker resolves the unrestricted child_process module and calls execSync to run arbitrary commands. Execution occurs as uid=100(sandbox) inside the sandbox container.
Root Cause
The root cause is reliance on a regular expression for language-level security enforcement [CWE-94]. The filter inspects source text without parsing JavaScript, so syntactic constructs equivalent to whitespace are missed. Sandbox isolation depends on a single string match rather than a proper AST-based denylist or a Proxy that mediates both require and import().
Attack Vector
Exploitation requires the ability to submit JavaScript to the sandbox, which corresponds to an authenticated low-privilege user in a typical FastGPT deployment. The attacker submits code containing import/**/("child_process").then(cp => cp.execSync("<command>")) or an equivalent construct. The worker accepts the submission, the V8 engine parses the comment-bracketed dynamic import, the child_process module loads outside the safeRequire Proxy, and the attacker-supplied command executes inside the sandbox container.
Readers can review the technical write-up in the FastGPT GitHub Security Advisory GHSA-f5mq-qxm4-5mvc.
Detection Methods for CVE-2026-44287
Indicators of Compromise
- Sandbox worker logs showing JavaScript submissions containing the literal substring import/**/( or other comment patterns between import and (
- Process creation events for sh, bash, or other shells whose parent is the FastGPT code-sandbox Node.js worker
- Unexpected outbound network connections originating from the sandbox container after code execution requests
- File writes to writable paths inside the sandbox container by processes spawned from the worker
Detection Strategies
- Inspect submitted sandbox code at the gateway for the regex import\s*(?:/\*[\s\S]*?\*/|//.*|\s)*\( to catch comment-based bypasses
- Alert on any invocation of child_process APIs inside the sandbox runtime, regardless of the import path used
- Correlate authenticated FastGPT API calls to /api/sandbox style endpoints with downstream execve syscalls in the container
Monitoring Recommendations
- Forward container runtime telemetry and Node.js worker stdout/stderr to a centralized log store and retain submitted code payloads
- Monitor the sandbox container for any process other than the expected Node.js worker tree
- Track egress traffic from the sandbox container and baseline it to the empty set, since legitimate sandboxed code has no need to reach external hosts
How to Mitigate CVE-2026-44287
Immediate Actions Required
- Upgrade FastGPT to version 4.15.0-beta1 or later, which removes the regex-based filter in favor of a hardened check
- Restrict access to the code sandbox feature to trusted authenticated users until the patch is applied
- Audit recent sandbox submissions for payloads containing import followed by comments and a parenthesis
- Rotate any secrets that were reachable from the sandbox container file system or environment
Patch Information
The vulnerability is fixed in FastGPT 4.15.0-beta1. Apply the upstream release from the labring/FastGPT repository and rebuild the code-sandbox container image. Details and the official fix are documented in the GitHub Security Advisory GHSA-f5mq-qxm4-5mvc.
Workarounds
- Disable the JavaScript code sandbox feature in FastGPT configuration until upgrade is possible
- Run the code-sandbox container with a read-only root filesystem, dropped capabilities, and seccomp profiles that deny execve of shells
- Apply egress network policies that block all outbound traffic from the sandbox container
- Add a reverse proxy filter that rejects submissions matching import followed by comment sequences before the worker receives them
# Example Kubernetes NetworkPolicy denying egress from the FastGPT sandbox pod
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: fastgpt-sandbox-deny-egress
spec:
podSelector:
matchLabels:
app: fastgpt-code-sandbox
policyTypes:
- Egress
egress: []
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
