An authenticated attacker can escape the Node.js sandbox in NocoBase to achieve full Remote Code Execution with root privileges, compromising the entire host system.

This is a sandbox escape vulnerability within the Workflow Script Node. An authenticated attacker can leverage exposed WritableWorkerStdio objects on the console object to traverse the prototype chain, bypassing the vm sandbox restrictions to execute arbitrary commands as the root user.

A successful exploit grants an attacker full control over the underlying server infrastructure. Given the root-level access, this results in total loss of data confidentiality, integrity, and availability, potentially leading to massive data breaches and long-term system compromise. The CVSS score of 9.9 reflects the critical nature of achieving unconstrained code execution on a business-critical no-code platform.

Immediate Action: Upgrade NocoBase to version 2.0.28 or later immediately to apply the security patch.

Proactive Monitoring: Review system logs for unusual Node.js process activity and monitor the WORKFLOW_SCRIPT_MODULES environment variable for unauthorized changes.

Compensating Controls: Restrict access to the NocoBase administrative interface and the Workflow builder to trusted personnel only using network-level access controls.

Public Exploit Available: No

The severity of this vulnerability cannot be overstated, as it allows a user with workflow access to escalate to full system administrator. Organizations using NocoBase must prioritize the update to version 2.0.28. Immediate patching is the only effective way to mitigate the risk of a complete host takeover.