CVE-2026-42344

Name of the Vulnerable Software and Affected Versions FastGPT versions prior to 4.14.12

Description The isInternalAddress() function in packages/service/common/system/utils.ts is susceptible to DNS rebinding, a Time-of-Check to Time-of-Use (TOCTOU) issue. The function validates a hostname by resolving it via dns.resolve4() or dns.resolve6() to ensure the IP is not within a private range. However, because the subsequent HTTP request triggers a separate DNS resolution, an attacker can change the DNS record between the validation step and the actual fetch, potentially bypassing internal network restrictions.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.