Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (VulnCheck) · only source for this CVE.
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
Hashgraph Guardian through version 3.5.0 contains an unsandboxed JavaScript execution vulnerability in the Custom Logic policy block worker that allows authenticated Standard Registry users to execute arbitrary code by passing user-supplied JavaScript expressions directly to the Node.js Function() constructor without isolation. Attackers can import native Node.js modules to read arbitrary files from the container filesystem, access process environment variables containing sensitive credentials such as RSA private keys, JWT signing keys, and API tokens, and forge valid authentication tokens for any user including administrators.
AnalysisAI
Authenticated Standard Registry users can execute arbitrary Node.js code in Hashgraph Guardian ≤3.5.0 through unsandboxed JavaScript evaluation in the Custom Logic policy block worker, enabling credential theft and privilege escalation. The vulnerability allows importing native Node.js modules to read container filesystem contents, extract RSA private keys and JWT signing secrets from environment variables, and forge administrator authentication tokens. Despite low EPSS (0.12%) indicating minimal widespread exploitation probability, the authenticated RCE path to total system compromise warrants immediate patching for deployments using Custom Logic policy features.
Technical ContextAI
Hashgraph Guardian's Custom Logic policy block worker accepts user-supplied JavaScript expressions and executes them via the Node.js Function() constructor without sandboxing or isolation mechanisms. This CWE-668 (Exposure of Resource to Wrong Sphere) vulnerability stems from directly passing untrusted code to a JavaScript evaluation primitive that inherits full Node.js runtime capabilities. Unlike browser-based JavaScript execution which operates in a restricted environment, Node.js Function() provides access to require() for importing native modules (fs, process, crypto), filesystem I/O, and process memory. The affected component appears to be designed for dynamic policy logic evaluation but lacks the VM sandboxing (vm2, isolated-vm) or capability restriction mechanisms necessary when executing user-controlled code in server-side JavaScript runtimes.
RemediationAI
Upgrade Hashgraph Guardian to version 3.5.1 or later once the fix from GitHub PR #5929 (https://github.com/hashgraph/guardian/pull/5929) is released in a tagged version. Until patched versions are available, implement these compensating controls with noted trade-offs: (1) Disable or remove the Custom Logic policy block feature entirely if not business-critical - eliminates attack surface but may break existing policy workflows requiring dynamic JavaScript evaluation; (2) Restrict Standard Registry user role assignments to only absolutely trusted administrators and implement mandatory code review for all Custom Logic policy blocks before deployment - reduces attacker pool but introduces operational overhead and doesn't prevent malicious insiders; (3) Deploy Guardian containers with read-only root filesystems and externalize all secrets to secure secret management systems rather than environment variables - limits filesystem read impact and credential exposure but requires infrastructure reconfiguration and may affect other Guardian components expecting writable paths. Monitor container process execution for unexpected child processes or require() calls to filesystem/process modules as detection layer. Consult VulnCheck advisory at https://www.vulncheck.com/advisories/hashgraph-guardian-unsandboxed-javascript-execution-rce for additional vendor guidance.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Same weakness CWE-668 – Exposure of Resource to Wrong Sphere
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20993
GHSA-wf7f-q2xr-hrmh