CVE-2026-44287

MEDIUM 6.3

FastGPT: sandbox escape to RCE - code-sandbox regex /\bimport\s*\(/ is bypassable

CVSS Score

6.3

EPSS Score

0.1%

EPSS Percentile

17th

FastGPT is an AI Agent building platform. Prior to 4.15.0-beta1, the JavaScript sandbox worker at projects/code-sandbox/src/pool/worker.ts:356 blocks dynamic import() with the regex /\bimport\s*\(/.test(code). JavaScript syntax accepts a block comment between import and (; the regex matches only ASCII whitespace, and the bytes /, *, *, / are not in the \s character class. The payload import/**/("child_process") parses as a syntactically valid dynamic import that the regex does not detect. Because import() is not wrapped by the safeRequire Proxy (which only proxies require), the attacker loads child_process and calls execSync - arbitrary command execution as uid=100(sandbox) inside the sandbox container. This vulnerability is fixed in 4.15.0-beta1.

CWE	CWE-94 CWE-184
Vendor	labring
Product	fastgpt
Published	May 29, 2026
Last Updated	Jun 1, 2026

Stay Ahead of the Next One

Get instant alerts for labring fastgpt

Be the first to know when new medium vulnerabilities affecting labring fastgpt are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Affected Versions

labring / FastGPT

< 4.15.0-beta1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/labring/FastGPT/security/advisories/GHSA-f5mq-qxm4-5mvc