Source: security-advisories@github.com
RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions prior to 0.23.0, a low-privileged authenticated user (normal login account) can execute arbitrary system commands on the server host process via the frontend Canvas CodeExec component, completely bypassing sandbox isolation. This occurs because untrusted data (stdout) is parsed using eval() with no filtering or sandboxing. The intended design was to "automatically convert string results into Python objects," but this effectively executes attacker-controlled code. Additional endpoints lack access control or contain inverted permission logic, significantly expanding the attack surface and enabling chained exploitation. Version 0.23.0 contains a patch for the issue.
RAGFlow, a Retrieval-Augmented Generation engine, is vulnerable to remote code execution (RCE). A low-privileged authenticated user can execute arbitrary system commands on the server by exploiting a flaw in the Canvas CodeExec component, leading to complete system compromise. This vulnerability allows attackers to gain full control of the server and potentially exfiltrate sensitive data or disrupt operations.
Step 1: Authentication: The attacker obtains valid credentials for a low-privileged user account on the RAGFlow system.
Step 2: Payload Injection: The attacker crafts a malicious payload, typically Python code designed to execute system commands (e.g., os.system('whoami'), subprocess.run(['cat', '/etc/passwd'])).
Step 3: Canvas CodeExec Exploitation: The attacker leverages the Canvas CodeExec component, providing the malicious payload as input. This input is then processed by the vulnerable eval() function.
Step 4: Code Execution: The eval() function executes the attacker-controlled Python code, leading to the execution of arbitrary system commands.
Step 5: Command Output: The output of the executed system commands (e.g., user information, file contents) is returned to the attacker.
Step 6: Privilege Escalation (Optional): Depending on the system configuration and the attacker's goals, further exploitation may be attempted to escalate privileges or achieve other objectives.
The vulnerability stems from the use of eval() on untrusted data (stdout) within the Canvas CodeExec component. The intended functionality was to automatically convert string results into Python objects, but the lack of input validation or sandboxing allows an attacker to inject and execute arbitrary Python code. This bypasses the intended security measures and grants the attacker the ability to execute system commands with the privileges of the RAGFlow process. The inverted permission logic and lack of access control on other endpoints further exacerbate the issue, creating a larger attack surface for chained exploitation.
Likely to be exploited by a wide range of threat actors, including both financially motivated groups and state-sponsored actors. The ease of exploitation and the potential for widespread impact make this an attractive target. CISA KEV status: Likely to be added soon.
Monitor system logs for suspicious activity related to the RAGFlow application, including unusual command executions or file access.
Analyze network traffic for unusual patterns, such as unexpected outbound connections from the RAGFlow server.
Implement file integrity monitoring to detect unauthorized modifications to critical system files.
Review application logs for errors or warnings related to the Canvas CodeExec component, particularly those involving eval() or code execution.
Look for indicators of compromise (IOCs) such as specific command executions or file modifications associated with known exploits.
Upgrade to RAGFlow version 0.23.0 or later to patch the vulnerability.
Implement robust input validation and sanitization for all user-supplied data, especially within the Canvas CodeExec component.
Avoid the use of eval() or other dangerous functions that can execute arbitrary code. If unavoidable, implement strict sandboxing and code execution restrictions.
Enforce least privilege principles, ensuring that the RAGFlow application runs with the minimum necessary permissions.
Implement strong access controls and authentication mechanisms to prevent unauthorized access to the RAGFlow system.
Regularly scan the system for vulnerabilities and apply security patches promptly.
Review and harden the system configuration to reduce the attack surface.