CVE-2025-49131 – CVE-2025-49131 is a sandbox escape vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2025-49131?

CVE-2025-49131 has a CVSS score of 6.3 (MEDIUM). CVE-2025-49131 is a sandbox escape vulnerability in FastGPT's sandbox container that allows attackers to break out of the isolated execution environment. This enables arbitrary file read/write operations and bypasses Python module restrictions. Organizations using FastGPT versions before 4.9.11 with the sandbox feature enabled are affected.

📋 TL;DR

CVE-2025-49131 is a sandbox escape vulnerability in FastGPT's sandbox container that allows attackers to break out of the isolated execution environment. This enables arbitrary file read/write operations and bypasses Python module restrictions. Organizations using FastGPT versions before 4.9.11 with the sandbox feature enabled are affected.

💻 Affected Systems

Products:

FastGPT

Versions: All versions before 4.9.11

Operating Systems: Linux (container-based deployments)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments using the fastgpt-sandbox container feature. Basic FastGPT installations without sandbox functionality are not vulnerable.

📦 What is this software?

Fastgpt by Fastgpt

View all CVEs affecting Fastgpt →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the FastGPT host system, allowing attackers to execute arbitrary code, steal sensitive data, and pivot to other systems in the network.

🟠

Likely Case

Unauthorized access to sensitive files, modification of AI workflows, and potential data exfiltration from the FastGPT environment.

🟢

If Mitigated

Limited impact with proper network segmentation and minimal privileges, though sandbox isolation would still be compromised.

🌐 Internet-Facing: HIGH - FastGPT deployments exposed to the internet are directly vulnerable to remote exploitation if sandbox features are used.

🏢 Internal Only: MEDIUM - Internal deployments are still vulnerable to authenticated users or compromised accounts exploiting the sandbox.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires access to submit code to the sandbox, which typically requires some level of authentication or API access. The vulnerability involves syscall manipulation within container isolation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.9.11

Vendor Advisory: https://github.com/labring/FastGPT/security/advisories/GHSA-f3pf-r3g7-g895

Restart Required: Yes

Instructions:

1. Update FastGPT to version 4.9.11 or later. 2. Update the fastgpt-sandbox container image to the patched version. 3. Restart all FastGPT services and containers. 4. Verify the sandbox container is running the updated image.

🔧 Temporary Workarounds

Disable Sandbox Feature

all

Temporarily disable the sandbox execution feature in FastGPT configuration

Set sandbox.enabled=false in FastGPT configuration

Restrict Sandbox Access

all

Limit which users or API endpoints can submit code to the sandbox

Configure FastGPT ACLs to restrict sandbox access to trusted users only

🧯 If You Can't Patch

Implement strict network segmentation to isolate FastGPT from sensitive systems
Apply additional container security controls like AppArmor or SELinux profiles

🔍 How to Verify

Check if Vulnerable:

Check FastGPT version and sandbox container version. If FastGPT < 4.9.11 and using sandbox features, the system is vulnerable.

Check Version:

docker inspect fastgpt-sandbox | grep -i version && check FastGPT web interface or configuration for version

Verify Fix Applied:

Verify FastGPT version is 4.9.11 or later and the sandbox container image includes the security patch commit bb810a43a1c70683fab7f5fe993771e930a94426.

📡 Detection & Monitoring

Log Indicators:

Unusual syscall patterns from sandbox containers
File access attempts outside sandbox boundaries
Python module import errors or bypass attempts

Network Indicators:

Unexpected outbound connections from FastGPT sandbox containers
Unusual data exfiltration patterns

SIEM Query:

container.name="fastgpt-sandbox" AND (syscall="execve" OR syscall="open" OR syscall="write") AND NOT path CONTAINS "/sandbox/"

📊 Metadata

CVE ID: CVE-2025-49131

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-732

EPSS Score: 0.2% exploit probability (41.9th percentile)

Published: June 9, 2025

Last Updated: December 29, 2025

🔗 References

https://github.com/labring/FastGPT/commit/bb810a43a1c70683fab7f5fe993771e930a94426 Patch
https://github.com/labring/FastGPT/pkgs/container/fastgpt-sandbox Product
https://github.com/labring/FastGPT/pull/4958 Issue Tracking
https://github.com/labring/FastGPT/releases/tag/v4.9.11 Release Notes
https://github.com/labring/FastGPT/security/advisories/GHSA-f3pf-r3g7-g895 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-49131, you might also want to check these: