| Title | NocoBase 2.0.23 Sandbox Issue |
|---|
| Description | ### Summary
A sandbox escape exists in `@nocobase/plugin-workflow-javascript` version `2.0.23`. The plugin attempts to neutralize constructors on objects exposed to the workflow script VM, but bound `console` methods still inherit from the host `Function.prototype`. An authenticated user who can access the Workflow JavaScript node test/editor capability can recover the host `Function` constructor via `Object.getPrototypeOf(console.log).constructor` and then access the host `process` object from inside the supposed sandbox.
### Details
The issue is in `packages/plugins/@nocobase/plugin-workflow-javascript/src/server/Vm.js`.
- `createSafeConsole()` binds each `console` method and sets `bound.constructor = null`.
- This only clears the property on the bound function object itself; it does not remove the prototype chain to the host `Function.prototype`.
- The resulting `console` object is then passed into `script.runInNewContext(context, ...)`.
- Existing security tests check `console.log.constructor`, `console.constructor`, and related direct properties, but they do not cover `Object.getPrototypeOf(console.log).constructor`.
I confirmed the issue against source snapshot `v2.0.23-1-g2a16ac78c2` and package version `2.0.23`.
This also appears to be an incomplete fix or regression of a previously acknowledged Workflow JavaScript security issue mentioned in the vendor release notes on `2025-11-06` and `2025-11-10`.
### PoC
Minimal payload:
```js
const hostFn = Object.getPrototypeOf(console.log).constructor;
const processRef = hostFn('return process')();
return {
processVersion: processRef.version,
cwd: processRef.cwd(),
platform: processRef.platform
};
```
I reproduced this in two ways:
1. Directly against the repository's `Vm.js`, which returned the real host `process.version` and `cwd()`.
2. In a fresh deployment based on `nocobase/nocobase:2.0.23-full`, through the admin workflow UI using the built-in `Test run`, which returned:
```json
{
"processVersion": "v20.20.1",
"cwd": "/app/nocobase",
"platform": "linux"
}
```
The corresponding backend request was `POST /api/flow_nodes:test`, and the response returned `status: 1` with the same host process data.
### Impact
This is a real VM sandbox escape. A user with permission to configure or test Workflow JavaScript nodes can break the intended isolation boundary and access host Node.js runtime objects. Depending on deployment and follow-on primitives, this may expose environment data, filesystem access, network capability, and can materially increase risk toward server-side code execution.
By default, this is usually reachable by `root` / `admin`-like roles because default member roles do not have workflow management snippets. However, the real privilege requirement is possession of workflow management/test permissions such as `flow_nodes:test`, not the role name itself.
No patched version is known to me at the time of reportin |
|---|
| Source | ⚠️ https://github.com/Pai-777/ai-cve/blob/main/docs/cve-drafts/nocobase-workflow-javascript-sandbox-escape.en.md |
|---|
| User | Paaai (UID 96664) |
|---|
| Submission | 03/23/2026 04:31 (23 days ago) |
|---|
| Moderation | 04/13/2026 15:49 (21 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 357142 [nocobase plugin-workflow-javascript up to 2.0.23 Vm.js createSafeConsole sandbox] |
|---|
| Points | 20 |
|---|