Fastgpt
Monthly
Sandbox escape in FastGPT's JavaScript code execution worker allows authenticated remote attackers to execute arbitrary OS commands inside the sandbox container by bypassing a regex-based blocklist. The sandbox at projects/code-sandbox/src/pool/worker.ts:356 blocks dynamic import() using a regex that matches only ASCII whitespace between 'import' and '(', failing to account for JavaScript's syntactically valid block comment syntax - the payload import/**/("child_process") parses correctly by the JS engine but evades the regex entirely. Because the safeRequire Proxy only intercepts require() and not native ES import(), the attacker gains direct access to child_process and execSync as uid=100(sandbox). No public exploit identified at time of analysis, but the bypass technique is fully documented in the vendor advisory and is trivially reproducible by any authenticated user.
Server-Side Request Forgery in Labring FastGPT prior to 4.15.0-beta1 lets an authenticated attacker bypass the platform's isInternalAddress network protection and pivot HTTP GET probes into internal services via the dataset preview endpoint. The flaw stems from an incomplete prior fix in the externalFile data import path, scoped-changed impact (S:C) elevates risk to adjacent systems, and no public exploit identified at time of analysis.
Server-side request forgery (SSRF) in FastGPT prior to version 4.14.17 allows authenticated users with App editing privileges to bypass SSRF protections in the lafModule workflow node's fetchData function, enabling arbitrary HTTP requests to internal and private network addresses via unvalidated user-controlled URLs passed to axios without filtering against the application's isInternalAddress blocklist.
FastGPT is an AI Agent building platform. Prior to version 4.14.17, FastGPT had an inconsistent SSRF protection gap in MCP tool URL handling. The direct MCP preview/run endpoints already rejected internal/private network URLs, but the MCP tool create/update endpoints could still save an internal MCP server URL. That stored URL could later be used by workflow execution without revalidating the destination. An authenticated user with permission to create or manage MCP toolsets could store an internal endpoint such as http://localhost:3000/mcp and later cause the FastGPT backend workflow runner to connect to that internal destination. This issue has been patched in version 4.14.17.
FastGPT is an AI Agent building platform. In versions 4.14.11 and prior, FastGPT's isInternalAddress() function in packages/service/common/system/utils.ts blocks cloud metadata endpoints using a fullUrl.startsWith() check against a hardcoded list. This check can be bypassed using at least 7 different URL encoding techniques, all of which resolve to the same cloud metadata service but do not match the blocklist patterns. Additionally, the broader private IP check (isInternalIPv4/isInternalIPv6) is disabled by default because CHECK_INTERNAL_IP defaults to false (not 'true'), so these bypasses reach the metadata endpoint without any further validation. At time of publication, there are no publicly available patches.
FastGPT is an AI Agent building platform. In versions 4.14.11 and prior, FastGPT's isInternalAddress() function in packages/service/common/system/utils.ts is vulnerable to DNS rebinding (TOCTOU - Time-of-Check to Time-of-Use). The function resolves the hostname via dns.resolve4()/dns.resolve6() and checks resolved IPs against private ranges, but the actual HTTP request happens in a separate call with a new DNS resolution, allowing the DNS record to change between validation and fetch. At time of publication, there are no publicly available patches.
Denial of service vulnerability in FastGPT 4.14.13 and prior affects the code-sandbox component due to insufficient resource isolation and reliance on weak application-level memory limits. Unauthenticated remote attackers can trigger complete service unavailability by launching time-window memory attacks or exhausting the JavaScript worker pool via concurrent CPU-intensive requests. Attack complexity is reported as low with attack timing considerations (AT:P), and no vendor-released patch is available at time of publication.
FastGPT is an AI Agent building platform. From version 4.14.10 to before version 4.14.13, the agent-sandbox component of FastGPT is vulnerable to unauthenticated Remote Code Execution (RCE). The startup script entrypoint.sh initializes code-server with the --auth none flag and binds the service to all network interfaces (0.0.0.0:8080). This configuration allows any user with network access to the port to bypass authentication and gain full control over the sandbox environment. This issue has been patched in version 4.14.13.
NoSQL injection in FastGPT versions before 4.14.9.5 allows authenticated attackers to bypass password verification on the password change endpoint using MongoDB query operators. Low-privileged users can change their own password (or potentially others' passwords via ID manipulation) without knowing the current password, enabling full account takeover and persistent access. Fixed in version 4.14.9.5. No active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis, though the attack technique is well-documented for NoSQL injection vectors.
NoSQL injection in FastGPT <4.14.9.5 password authentication allows unauthenticated remote attackers to bypass login controls and access any account, including root administrator, by submitting MongoDB query operators instead of plaintext passwords. The vulnerability stems from missing runtime validation on password fields in the login endpoint. Exploitation requires no special conditions beyond network access to the login endpoint. CVSS 9.8 (Critical) with EPSS data unavailable; no CISA KEV listing or public POC identified at time of analysis, though GitHub security advisory provides technical details that could enable exploit development.
Broken Access Control in FastGPT versions prior to 4.14.10.4 allows authenticated teams to access and execute applications belonging to other teams by supplying a foreign application ID, enabling cross-tenant data exposure and unauthorized workflow execution. The vulnerability stems from insufficient API validation-while team tokens are verified, the API fails to confirm that the requested application belongs to the authenticated team. This affects all FastGPT instances with multi-tenant deployments where different teams manage separate AI Agent applications, and is fixed in version 4.14.10.4.
Server-side request forgery (SSRF) in FastGPT versions prior to 4.14.10.3 allows unauthenticated remote attackers to probe and access internal network resources via the /api/core/app/mcpTools/runTool endpoint, which accepts arbitrary URLs without proper validation. The vulnerability is exploitable by default because the internal IP check is gated behind a disabled configuration flag (CHECK_INTERNAL_IP=false), enabling attackers to bypass network segmentation and potentially discover or interact with backend services, databases, or cloud metadata endpoints.
Unauthenticated HTTP proxy abuse in FastGPT (AI Agent platform) prior to v4.14.9.5 allows remote attackers to relay arbitrary HTTP requests through the server. The /api/core/app/httpTools/runTool endpoint accepts user-controlled URLs, methods, headers, and body parameters without authentication, functioning as an open proxy for network pivoting, credential theft, and internal network reconnaissance. CVSS 10.0 (Critical) with network attack vector and no privileges required. No public exploit identified at time of analysis, though exploitation is trivial given the exposed endpoint design. EPSS data not available.
FastGPT's web and HTTP data acquisition nodes fail to properly validate internal network addresses, allowing unauthenticated remote attackers to bypass network isolation controls and access sensitive internal resources. This vulnerability affects FastGPT versions prior to 4.14.7 and requires user interaction to exploit. The vulnerability has a CVSS score of 5.4 and currently has no available patch.
Unauthenticated access to the FastGPT plugin API endpoint (FastGPT/api/plugin/xxx) in versions 4.14.0 through 4.14.5 allows remote attackers to disrupt plugin functionality and cause loss of plugin installation state without authentication. The vulnerability affects the AI/ML platform's plugin system availability and integrity, though sensitive data such as cryptographic keys are not exposed. A patch is available in version 4.14.5-fix.
FastGPT is an AI Agent building platform. Prior to version 4.9.12, the LastRoute Parameter on login page is vulnerable to open redirect and DOM-based XSS. Improper validation and lack of sanitization of this parameter allows attackers execute malicious JavaScript or redirect them to attacker-controlled sites. This issue has been patched in version 4.9.12.
FastGPT is an open-source project that provides a platform for building, deploying, and operating AI-driven workflows and conversational agents. The Sandbox container (fastgpt-sandbox) is a specialized, isolated environment used by FastGPT to safely execute user-submitted or dynamically generated code in isolation. The sandbox before version 4.9.11 has insufficient isolation and inadequate restrictions on code execution by allowing overly permissive syscalls, which allows attackers to escape the intended sandbox boundaries. Attackers could exploit this to read and overwrite arbitrary files and bypass Python module import restrictions. This is patched in version 4.9.11 by restricting the allowed system calls to a safer subset and additional descriptive error messaging.
FastGPT is a knowledge-based platform built on the LLMs. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Sandbox escape in FastGPT's JavaScript code execution worker allows authenticated remote attackers to execute arbitrary OS commands inside the sandbox container by bypassing a regex-based blocklist. The sandbox at projects/code-sandbox/src/pool/worker.ts:356 blocks dynamic import() using a regex that matches only ASCII whitespace between 'import' and '(', failing to account for JavaScript's syntactically valid block comment syntax - the payload import/**/("child_process") parses correctly by the JS engine but evades the regex entirely. Because the safeRequire Proxy only intercepts require() and not native ES import(), the attacker gains direct access to child_process and execSync as uid=100(sandbox). No public exploit identified at time of analysis, but the bypass technique is fully documented in the vendor advisory and is trivially reproducible by any authenticated user.
Server-Side Request Forgery in Labring FastGPT prior to 4.15.0-beta1 lets an authenticated attacker bypass the platform's isInternalAddress network protection and pivot HTTP GET probes into internal services via the dataset preview endpoint. The flaw stems from an incomplete prior fix in the externalFile data import path, scoped-changed impact (S:C) elevates risk to adjacent systems, and no public exploit identified at time of analysis.
Server-side request forgery (SSRF) in FastGPT prior to version 4.14.17 allows authenticated users with App editing privileges to bypass SSRF protections in the lafModule workflow node's fetchData function, enabling arbitrary HTTP requests to internal and private network addresses via unvalidated user-controlled URLs passed to axios without filtering against the application's isInternalAddress blocklist.
FastGPT is an AI Agent building platform. Prior to version 4.14.17, FastGPT had an inconsistent SSRF protection gap in MCP tool URL handling. The direct MCP preview/run endpoints already rejected internal/private network URLs, but the MCP tool create/update endpoints could still save an internal MCP server URL. That stored URL could later be used by workflow execution without revalidating the destination. An authenticated user with permission to create or manage MCP toolsets could store an internal endpoint such as http://localhost:3000/mcp and later cause the FastGPT backend workflow runner to connect to that internal destination. This issue has been patched in version 4.14.17.
FastGPT is an AI Agent building platform. In versions 4.14.11 and prior, FastGPT's isInternalAddress() function in packages/service/common/system/utils.ts blocks cloud metadata endpoints using a fullUrl.startsWith() check against a hardcoded list. This check can be bypassed using at least 7 different URL encoding techniques, all of which resolve to the same cloud metadata service but do not match the blocklist patterns. Additionally, the broader private IP check (isInternalIPv4/isInternalIPv6) is disabled by default because CHECK_INTERNAL_IP defaults to false (not 'true'), so these bypasses reach the metadata endpoint without any further validation. At time of publication, there are no publicly available patches.
FastGPT is an AI Agent building platform. In versions 4.14.11 and prior, FastGPT's isInternalAddress() function in packages/service/common/system/utils.ts is vulnerable to DNS rebinding (TOCTOU - Time-of-Check to Time-of-Use). The function resolves the hostname via dns.resolve4()/dns.resolve6() and checks resolved IPs against private ranges, but the actual HTTP request happens in a separate call with a new DNS resolution, allowing the DNS record to change between validation and fetch. At time of publication, there are no publicly available patches.
Denial of service vulnerability in FastGPT 4.14.13 and prior affects the code-sandbox component due to insufficient resource isolation and reliance on weak application-level memory limits. Unauthenticated remote attackers can trigger complete service unavailability by launching time-window memory attacks or exhausting the JavaScript worker pool via concurrent CPU-intensive requests. Attack complexity is reported as low with attack timing considerations (AT:P), and no vendor-released patch is available at time of publication.
FastGPT is an AI Agent building platform. From version 4.14.10 to before version 4.14.13, the agent-sandbox component of FastGPT is vulnerable to unauthenticated Remote Code Execution (RCE). The startup script entrypoint.sh initializes code-server with the --auth none flag and binds the service to all network interfaces (0.0.0.0:8080). This configuration allows any user with network access to the port to bypass authentication and gain full control over the sandbox environment. This issue has been patched in version 4.14.13.
NoSQL injection in FastGPT versions before 4.14.9.5 allows authenticated attackers to bypass password verification on the password change endpoint using MongoDB query operators. Low-privileged users can change their own password (or potentially others' passwords via ID manipulation) without knowing the current password, enabling full account takeover and persistent access. Fixed in version 4.14.9.5. No active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis, though the attack technique is well-documented for NoSQL injection vectors.
NoSQL injection in FastGPT <4.14.9.5 password authentication allows unauthenticated remote attackers to bypass login controls and access any account, including root administrator, by submitting MongoDB query operators instead of plaintext passwords. The vulnerability stems from missing runtime validation on password fields in the login endpoint. Exploitation requires no special conditions beyond network access to the login endpoint. CVSS 9.8 (Critical) with EPSS data unavailable; no CISA KEV listing or public POC identified at time of analysis, though GitHub security advisory provides technical details that could enable exploit development.
Broken Access Control in FastGPT versions prior to 4.14.10.4 allows authenticated teams to access and execute applications belonging to other teams by supplying a foreign application ID, enabling cross-tenant data exposure and unauthorized workflow execution. The vulnerability stems from insufficient API validation-while team tokens are verified, the API fails to confirm that the requested application belongs to the authenticated team. This affects all FastGPT instances with multi-tenant deployments where different teams manage separate AI Agent applications, and is fixed in version 4.14.10.4.
Server-side request forgery (SSRF) in FastGPT versions prior to 4.14.10.3 allows unauthenticated remote attackers to probe and access internal network resources via the /api/core/app/mcpTools/runTool endpoint, which accepts arbitrary URLs without proper validation. The vulnerability is exploitable by default because the internal IP check is gated behind a disabled configuration flag (CHECK_INTERNAL_IP=false), enabling attackers to bypass network segmentation and potentially discover or interact with backend services, databases, or cloud metadata endpoints.
Unauthenticated HTTP proxy abuse in FastGPT (AI Agent platform) prior to v4.14.9.5 allows remote attackers to relay arbitrary HTTP requests through the server. The /api/core/app/httpTools/runTool endpoint accepts user-controlled URLs, methods, headers, and body parameters without authentication, functioning as an open proxy for network pivoting, credential theft, and internal network reconnaissance. CVSS 10.0 (Critical) with network attack vector and no privileges required. No public exploit identified at time of analysis, though exploitation is trivial given the exposed endpoint design. EPSS data not available.
FastGPT's web and HTTP data acquisition nodes fail to properly validate internal network addresses, allowing unauthenticated remote attackers to bypass network isolation controls and access sensitive internal resources. This vulnerability affects FastGPT versions prior to 4.14.7 and requires user interaction to exploit. The vulnerability has a CVSS score of 5.4 and currently has no available patch.
Unauthenticated access to the FastGPT plugin API endpoint (FastGPT/api/plugin/xxx) in versions 4.14.0 through 4.14.5 allows remote attackers to disrupt plugin functionality and cause loss of plugin installation state without authentication. The vulnerability affects the AI/ML platform's plugin system availability and integrity, though sensitive data such as cryptographic keys are not exposed. A patch is available in version 4.14.5-fix.
FastGPT is an AI Agent building platform. Prior to version 4.9.12, the LastRoute Parameter on login page is vulnerable to open redirect and DOM-based XSS. Improper validation and lack of sanitization of this parameter allows attackers execute malicious JavaScript or redirect them to attacker-controlled sites. This issue has been patched in version 4.9.12.
FastGPT is an open-source project that provides a platform for building, deploying, and operating AI-driven workflows and conversational agents. The Sandbox container (fastgpt-sandbox) is a specialized, isolated environment used by FastGPT to safely execute user-submitted or dynamically generated code in isolation. The sandbox before version 4.9.11 has insufficient isolation and inadequate restrictions on code execution by allowing overly permissive syscalls, which allows attackers to escape the intended sandbox boundaries. Attackers could exploit this to read and overwrite arbitrary files and bypass Python module import restrictions. This is patched in version 4.9.11 by restricting the allowed system calls to a safer subset and additional descriptive error messaging.
FastGPT is a knowledge-based platform built on the LLMs. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.