Skip to main content

FastGPT CVE-2026-42343

MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-05-08 GitHub_M
Denial Of Service Fastgpt
6.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
May 09, 2026 - 00:45 vuln.today
CVSS changed
May 08, 2026 - 23:22 NVD
6.3 (MEDIUM)
CVE Published
May 08, 2026 - 22:09 nvd
UNKNOWN (no severity yet)
CVE Published
May 08, 2026 - 22:09 nvd
MEDIUM 6.3

DescriptionGitHub Advisory

FastGPT is an AI Agent building platform. In versions 4.14.13 and prior, the code-sandbox component suffers from insufficient resource isolation and uncontrolled resource consumption. The service relies solely on an application-level soft limit (a 500ms polling interval) for memory management and lacks strict OS-level constraints such as cgroups or kernel-level namespaces. This architectural weakness allows attackers to easily bypass memory checks via time-window attacks, or exhaust the entire JavaScript worker pool via concurrent CPU-intensive requests, resulting in a complete Denial of Service (DoS) for legitimate users. At time of publication, there are no publicly available patches.

AnalysisAI

Denial of service vulnerability in FastGPT 4.14.13 and prior affects the code-sandbox component due to insufficient resource isolation and reliance on weak application-level memory limits. Unauthenticated remote attackers can trigger complete service unavailability by launching time-window memory attacks or exhausting the JavaScript worker pool via concurrent CPU-intensive requests. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send concurrent code-execution requests
Delivery
Exceed JavaScript worker pool capacity
Exploit
Exhaust available workers
Execution
Queue legitimate requests without processing
Impact
Complete service unavailability
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The FastGPT code-sandbox API endpoint must be network-accessible without authentication (default configuration). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 6.3 with attack vector Network and complexity Low indicates a remotely exploitable vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a rapid burst of API requests to the code-sandbox endpoint, each containing a CPU-intensive JavaScript payload designed to execute longer than the 500ms polling interval. The soft memory limit is bypassed through timing attacks, and the JavaScript worker pool is exhausted as requests queue faster than workers complete execution. …
Remediation No vendor-released patch is available at time of publication. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-42343 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy