Skip to content

[CRITICAL] Fix: Prevent RCE via Unsafe Code Execution in No-Op Sandbox#389

Open
aditya072690 wants to merge 1 commit intoAIxBlock-2023:mainfrom
aditya072690:bugfix/critical-rce-noop-sandbox
Open

[CRITICAL] Fix: Prevent RCE via Unsafe Code Execution in No-Op Sandbox#389
aditya072690 wants to merge 1 commit intoAIxBlock-2023:mainfrom
aditya072690:bugfix/critical-rce-noop-sandbox

Conversation

@aditya072690
Copy link

@aditya072690 aditya072690 commented Dec 9, 2025

Security Fix

This PR fixes a critical RCE vulnerability where user-provided code could execute with full Node.js process privileges.

Changes

  • Force SANDBOX_CODE_ONLY mode in production
  • Require explicit ALLOW_UNSANDBOXED flag for unsafe modes
  • Add security warnings for unsafe execution modes

Security Impact

  • Severity: Critical
  • CVSS Score: 9.8
  • Issue: #[issue number]

Testing

  • Verified fix prevents exploitation
  • Code compiles successfully
  • Production mode forces safe sandbox

References

  • Related Issue: #[issue number]
  • Branch: aditya072690:bugfix/critical-rce-noop-sandbox

@aditya072690
fix: prevent RCE by forcing safe sandbox in production
9ddce93 
- Force SANDBOX_CODE_ONLY mode in production environments
- Require explicit ALLOW_UNSANDBOXED flag for unsafe modes in development
- Add security warnings for unsafe execution modes
- Default to safe sandbox if unsafe mode detected without flag

This fixes a critical RCE vulnerability where user-provided code could
execute with full Node.js process privileges when AP_EXECUTION_MODE is
set to UNSANDBOXED or SANDBOXED.

CVSS Score: 9.8 (Critical)
Severity: Critical
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@aditya072690