RAGFlow Account Takeover Vulnerability

An account takeover vulnerability exists in RAGFlow versions through 0.18.1. This issue allows attackers to brute-force email verification codes, facilitating unauthorized account registration, login, and password resets. The verification codes are six digits long, and the application lacks rate limiting, creating an opportunity for such brute-force attacks.

Impact

Exploitation of this vulnerability allows for arbitrary account registration, login, and password resets, leading to unauthorized access to user accounts.

Reproduction

To reproduce this vulnerability, first navigate to the password reset or registration page. Enter a victim's email address, which will trigger the system to send a verification code to that email. After receiving the code, enter any six-digit verification code and intercept the request to the '/api/verify-code' or '/api/signup' endpoint. Replace the intercepted request with one that includes a valid verification code. For password resets, the request will include the new password and the verification code. This process can be repeated due to the absence of rate limiting, allowing for brute-force attacks on the verification codes.