Issue with process in nocobase container

pws · December 11, 2025, 2:38pm

Hi,

Our server admin just reported that a postgres service is maxing out the server’s CPU. Turn out it was one of the processes inside the nocobase postgres container. I restarted the container, but the issue came back:

$ sudo docker top nocobase-postgres-1
UID                 PID                 PPID                C                   STIME               TTY                 TIME                CMD
psaadm              1857606             1857581             0                   12:54               ?                   00:00:00            postgres -c wal_level=logical
psaadm              1892055             1857606             0                   15:13               ?                   00:00:00            postgres: checkpointer
psaadm              1892056             1857606             0                   15:13               ?                   00:00:00            postgres: background writer
psaadm              1892065             1857606             0                   15:13               ?                   00:00:00            postgres -c wal_level=logical
psaadm              1892066             1857606             0                   15:13               ?                   00:00:00            postgres: walwriter
psaadm              1892067             1857606             0                   15:13               ?                   00:00:00            postgres: autovacuum launcher
psaadm              1892068             1857606             0                   15:13               ?                   00:00:00            postgres: logical replication launcher
psaadm              1892073             1857606             3                   15:13               ?                   00:00:46            postgres -c wal_level logical
psaadm              1892269             1857606             99                  15:13               ?                   05:06:48            postgres -c wal_level=logical

The docker-compose.yml:

version: "3"

networks:
  nocobase:
    driver: bridge

services:
  app:
    image: registry.cn-shanghai.aliyuncs.com/nocobase/nocobase:latest
    networks:
      - nocobase
    depends_on:
      - postgres
    environment:
      APP_KEY: your-secret-key
      DB_DIALECT: postgres
      DB_HOST: postgres
      DB_DATABASE: nocobase
      DB_USER: nocobase
      DB_PASSWORD: nocobase
      TZ: Asia/Shanghai
    volumes:
      - ./storage:/app/nocobase/storage
    ports:
      - "13000:80"

  postgres:
    image: registry.cn-shanghai.aliyuncs.com/nocobase/postgres:16
    restart: always
    command: postgres -c wal_level=logical
    environment:
      POSTGRES_USER: nocobase
      POSTGRES_DB: nocobase
      POSTGRES_PASSWORD: nocobase
    volumes:
      - ./storage/db/postgres:/var/lib/postgresql/data
    networks:
      - nocobase
    ports:
      - "5432:5432"

There’s another postgres container running on port 5431, postgres version 13.

Any suggestions?

hongboji · December 12, 2025, 1:09am

Hello, please query the database to see what operation was performed by pid = 1892269.

pws · January 2, 2026, 1:25pm

Hi,

pg_stats_activity doesn’t show anything (while process hangs at 99%), so I was wondering if it could have something to do with wal_level=logical. Testing it with wal_level=replica atm.

pws · January 5, 2026, 6:31pm

It seems that the docker container has been compromised, docker top revealed a shell script that was run inside the nocobase postgres container to load a malicious binary. At least this is what seems to be clear at this point.

Unfortunately, after installing Nocobase through docker, we left the default password active for some time.

My question is: how could an attacker gain access to the docker container and possibly to the host system by logging into our nocobase instance? Is there a known vulnerability? Could the image itself have been compromised?