RAGFlow Jinja2 Template Injection Vulnerability Allowing Remote Code Execution

A server-side template injection vulnerability has been identified in RAGFlow versions through 0.24.0. This issue allows any authenticated user to execute arbitrary operating system commands on the server. The vulnerability arises in the prompt generator component, where user-controlled input is rendered through an unsandboxed Jinja2 environment. Exploitation can be achieved by creating a Canvas workflow that includes a malicious payload in the citation guidelines, which is then processed by the application, leading to command execution on the server.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server where RAGFlow is running.

Reproduction

To reproduce this vulnerability, a valid user account is needed. Once logged in, create a Canvas workflow that includes a DuckDuckGo component followed by an LLM component. In the LLM component's sys_prompt parameter, insert a Jinja2 payload designed to execute a command, such as one that writes to a file. When the Canvas is run, the DuckDuckGo component will populate retrieval chunks, and the LLM component will execute the Jinja2 payload on the server, leading to command execution.