A critical vulnerability in ToolJet allows authenticated users with builder roles to execute arbitrary server-side code, resulting in a full system compromise.

This is a server-side code injection vulnerability residing in the marketplace plugin management functionality. An attacker with an authenticated "builder" role can inject malicious JavaScript that executes with full Node.js privileges, impacting all users of the instance.

The ability to execute arbitrary code with full Node.js access represents a total compromise of the application server. Given the 9.4 CVSS score, this flaw poses an extreme risk of data exfiltration, unauthorized access to internal workflows, and persistent compromise of the entire ToolJet infrastructure.

Immediate Action: Upgrade ToolJet immediately to version 3.20.178-lts or later to remediate the plugin overwrite vulnerability.

Proactive Monitoring: Review application logs for suspicious marketplace plugin updates and monitor for unusual Node.js process activity or unauthorized outbound network connections.

Compensating Controls: Restrict access to the "builder" role to trusted personnel only and implement strict egress filtering to prevent the server from reaching external malicious command-and-control infrastructure.

Public Exploit Available: No

This vulnerability is highly critical due to the potential for full environment takeover. Organizations currently using versions prior to 3.20.178-lts must prioritize this patch in their next maintenance cycle to prevent remote code execution and potential supply-chain attacks.