CVE-2025-49131

FastGPT Sandbox Vulnerable to Sandbox Bypass

Severity Score

6.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

FastGPT is an open-source project that provides a platform for building, deploying, and operating AI-driven workflows and conversational agents. The Sandbox container (fastgpt-sandbox) is a specialized, isolated environment used by FastGPT to safely execute user-submitted or dynamically generated code in isolation. The sandbox before version 4.9.11 has insufficient isolation and inadequate restrictions on code execution by allowing overly permissive syscalls, which allows attackers to escape the intended sandbox boundaries. Attackers could exploit this to read and overwrite arbitrary files and bypass Python module import restrictions. This is patched in version 4.9.11 by restricting the allowed system calls to a safer subset and additional descriptive error messaging.

FastGPT es un proyecto de código abierto que proporciona una plataforma para crear, implementar y operar flujos de trabajo basados en IA y agentes conversacionales. El contenedor de la Sandbox (fastgpt-sandbox) es un entorno aislado especializado que FastGPT utiliza para ejecutar de forma segura código enviado por el usuario o generado dinámicamente. El entorno de la Sandbox anterior a la versión 4.9.11 presenta un aislamiento insuficiente y restricciones inadecuadas en la ejecución de código, al permitir llamadas al sistema excesivamente permisivas, lo que permite a los atacantes eludir los límites previstos del entorno de la Sandbox. Los atacantes podrían aprovechar esto para leer y sobrescribir archivos arbitrarios y eludir las restricciones de importación de módulos de Python. Esto se ha corregido en la versión 4.9.11, restringiendo las llamadas al sistema permitidas a un subconjunto más seguro y proporcionando mensajes de error descriptivos adicionales.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

Poc

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2025-06-02 CVE Reserved
2025-06-09 CVE Published
2025-06-09 CVE Updated
2025-06-15 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-732: Incorrect Permission Assignment for Critical Resource

CAPEC

References (5)

URL	Tag	Source
https://github.com/labring/FastGPT/commit/bb810a43a1c70683fab7f5fe993771e930a94426	X_refsource_misc
https://github.com/labring/FastGPT/pkgs/container/fastgpt-sandbox	X_refsource_misc
https://github.com/labring/FastGPT/pull/4958	X_refsource_misc
https://github.com/labring/FastGPT/releases/tag/v4.9.11	X_refsource_misc
https://github.com/labring/FastGPT/security/advisories/GHSA-f3pf-r3g7-g895	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Labring Search vendor "Labring"		FastGPT Search vendor "Labring" for product "FastGPT"				< 4.9.11 Search vendor "Labring" for product "FastGPT" and version " < 4.9.11"		en		Affected