Onurcangnc

**Name of the Vulnerable Software and Affected Versions** NocoBase versions prior to 2.0.28 **Description** NocoBase is an AI-powered no-code/low-code platform. Versions of NocoBase prior to 2.0.28 have a security flaw that allows an authenticated attacker to achieve Remote Code Execution (RCE) as root. This is due to the Workflow Script Node executing user-supplied JavaScript within a Node.js vm sandbox that exposes host-realm WritableWorkerStdio stream objects via the `console` object (`console. stdout` and `console. stderr`). An attacker can traverse the prototype chain to escape the sandbox. The `console` object leaks a host-realm Function constructor via prototype chain traversal. Exploitation involves using the `console` object to access the Node.js `process` object and then loading modules like `child process` to execute commands. The vulnerability allows for database credential theft, arbitrary file read/write, and the establishment of a reverse shell. The issue has been confirmed with a reverse shell and the ability to dump system information and credentials. **Recommendations** Update NocoBase to version 2.0.28 or later.