Advisory ID: #1
Published: 2026-03-19
Affected versions: <= 3.12.8
Addressed in: 3.12.9
ArangoDB Security Advisory: JavaScript Security Configuration Defaults in Self-Hosted Deployments
Description
ArangoDB provides several startup options that allow administrators to control what server-side JavaScript code can access, including filesystem paths, environment variables, outbound network endpoints, and startup configuration values.
In current versions, these options default to an open configuration. When not explicitly configured, the JavaScript environment operates with the full permissions of the arangod process. This includes User Defined Functions (UDFs) registered via /_api/aqlfunction, which in the default configuration can read files, access environment variables, and make outbound HTTP requests from within the server process.
Version 3.12.9 is planned to update these defaults to a more restrictive configuration. For deployments running earlier versions, the options described in the Mitigation section below can be used to restrict JavaScript access to match your security requirements.
AMP (managed service) deployments already operate with a restricted JavaScript configuration and are not affected.
Impact
In deployments using the default configuration, an authenticated user who can register UDFs can:
- Read files accessible to the arangod process, including configuration files and TLS private keys
- Write files anywhere the arangod process has write permission
- Access environment variables, which may contain secrets such as API keys, database credentials, and cloud provider tokens
- Make outbound HTTP requests to arbitrary endpoints
When combined with an AQL injection vulnerability in an application layer, UDFs could potentially be invoked without direct database credentials.
Remediation
Upgrade to version 3.12.9 when available. This release is planned to include updated defaults that restrict access for unconfigured allowlists. Deployments that have already explicitly configured these options will not be affected. Refer to the 3.12.9 release notes for full details on the changes and any considerations for Foxx microservices or other server-side JavaScript functionality.
Mitigation
For deployments running versions prior to 3.12.9, the following options can be used to restrict JavaScript access within the arangod process:
--server.harden=true --javascript.harden=true --javascript.environment-variables-allowlist="^$" --javascript.endpoints-allowlist="^$" --javascript.startup-options-allowlist="^$" --javascript.files-allowlist="^$"
If you have already configured any of these allowlist options, review your existing values to ensure they are appropriately restrictive for your deployment. A misconfigured allowlist pattern may permit broader access than intended.
Note: These options restrict all JavaScript execution within the arangod process, not just UDFs. Foxx microservices and server-side operations initiated through arangosh are also subject to these restrictions. In practice, --javascript.files-allowlist is the most likely to cause visible side effects, as file operations are fundamental to Foxx app installation and server-side administration. Deployments that rely on Foxx or make outbound HTTP calls from Foxx services should evaluate these settings before applying them.
Additionally, deployments that do not use User Defined Functions can disable UDF registration entirely:
--javascript.user-defined-functions=false
Docker: Add these options after the image name in your docker run command or in the command: section of your docker-compose file.
Kubernetes: Add these options to the args section of your ArangoDB container spec, or set them in the ArangoDB Kubernetes Operator server group configuration.
Acknowledgments
This issue was reported by Anvil Secure.
Contact
If you have questions about this advisory, contact ArangoDB support.