skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
October 30, 2020

GHSL-2020-143: Arbitrary Code Execution in FastReports - CVE-2020-27998

Jaroslav Lobacevski


FastReports is vulnerable to arbitrary code execution because it compiles and runs C# code from a report template.



Tested Version

Master branch.


Issue: Compilation of user supplied expressions into a .NET assembly.

While the dynamic data transformation into a compiled .NET code could be acceptable if the report template and the data from data source are trusted, the advertised Online Designer demonstrates that this assumption does not hold true.
Any user may run arbitrary remote code on the server by creating a new expression or editing an existing one into, for example [System.String.Join(",", System.IO.Directory.GetDirectories(@"c:/"))].

Side Note: The forward slash ‘/’ is used instead of the back slash ‘\’ because FastReports library fails to recognize a string literal if the last character is ‘\’.

After the user clicks Preview the code is executed on the server.


Arbitrary code execution on the report template processing host.


The allowed expressions should be restricted to an acceptable subset. The compiled code should be run in a sandboxed process.


Coordinated Disclosure Timeline



This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).


You can contact the GHSL team at, please include a reference to GHSL-2020-143 in any communication regarding this issue.