CVE-2026-42343 | THREATINT

Description

FastGPT is an AI Agent building platform. In versions 4.14.13 and prior, the code-sandbox component suffers from insufficient resource isolation and uncontrolled resource consumption. The service relies solely on an application-level soft limit (a 500ms polling interval) for memory management and lacks strict OS-level constraints such as cgroups or kernel-level namespaces. This architectural weakness allows attackers to easily bypass memory checks via time-window attacks, or exhaust the entire JavaScript worker pool via concurrent CPU-intensive requests, resulting in a complete Denial of Service (DoS) for legitimate users. At time of publication, there are no publicly available patches.

PUBLISHED Reserved 2026-04-26 | Published 2026-05-08 | Updated 2026-05-08 | Assigner GitHub_M

MEDIUM: 6.3CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Problem types

CWE-400: Uncontrolled Resource Consumption

Product status

<= 4.14.13

affected

References

github.com/...astGPT/security/advisories/GHSA-qv7v-r94x-6x3x

cve.org (CVE-2026-42343)

nvd.nist.gov (CVE-2026-42343)

Download JSON