RAGFlow Server-Side Template Injection Vulnerability Allowing Remote Code Execution

A Server-Side Template Injection (SSTI) vulnerability has been identified in RAGFlow, an open-source Retrieval-Augmented Generation engine, in versions through 0.24.0. The vulnerability resides in the Agent workflow's Text Processing (StringTransform) and Message components, which utilize Python's Jinja2 template engine in an unsandboxed manner. This flaw allows authenticated users to execute arbitrary operating system commands on the server. At the time of publication, no patches are available.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary commands on the server with the application's system user privileges. This could lead to reading sensitive files, including configuration files with database credentials, and ultimately compromising the database or the entire server. In multi-tenant deployments, this could affect all users on the platform.

Reproduction

To reproduce this vulnerability, log into RAGFlow as a registered user. Create a new agent and add a 'Text Processing' component. In the component's 'Script' field, enter a payload that exploits the SSTI vulnerability, such as one that executes a command using the 'os.popen' method. Save the agent and run it. The output will confirm the execution of the command on the server.

Remediation

Replace the unsandboxed Jinja2 template rendering with Jinja2's SandboxedEnvironment, which restricts access to dangerous attributes and prevents arbitrary code execution. Additionally, audit other parts of the codebase that may use unsandboxed Jinja2 templates.