Executive Summary

This vulnerability is a Server-Side Template Injection (SSTI) in the Prompt Generator component of RAGFlow, an open-source Retrieval-Augmented Generation engine. Specifically, in versions 0.24.0 and earlier, the Jinja2 template environment used in the file rag/prompts/generator.py is unsandboxed and renders user-controlled input. This allows any authenticated user to inject malicious Jinja2 code through the sys_prompt parameter's <CITATION_GUIDELINES> tag, which is then executed on the server.

An attacker can exploit this by registering a normal user account, creating a Canvas workflow with a DuckDuckGo + LLM component chain, and injecting a malicious payload. When the citation_prompt() function renders the template, the injected code executes arbitrary operating system commands on the server, leading to remote code execution.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts because it allows an authenticated user to execute arbitrary OS commands on the server hosting RAGFlow. This means an attacker can potentially take full control of the server, leading to data theft, data loss, service disruption, or further attacks within the network.

The vulnerability has a critical severity score of 9.9 (CVSS v3), indicating it is highly exploitable with low attack complexity and no user interaction required beyond authentication. The attacker does not need special privileges or API keys, making it easier to exploit.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves monitoring for unusual or unauthorized execution of OS commands triggered by Jinja2 template rendering in the RAGFlow prompt generator. Since exploitation requires an authenticated user creating a Canvas workflow with a DuckDuckGo + LLM component chain, suspicious creation or modification of such workflows should be logged and reviewed.

Specific commands to detect exploitation attempts are not provided in the available resources. However, general detection methods could include:

• Reviewing application logs for unexpected template rendering errors or suspicious payloads in the `sys_prompt` parameter.
• Monitoring system command execution logs for commands initiated by the RAGFlow process or unexpected user accounts.
• Using network monitoring tools to detect unusual outbound connections or data exfiltration attempts originating from the server.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading RAGFlow to a version later than 0.24.0 where this Server-Side Template Injection vulnerability is fixed.

Until an upgrade is possible, restrict or disable user registration and the ability to create Canvas workflows with DuckDuckGo + LLM components to prevent exploitation.

Additionally, implement strict input validation and sandboxing for Jinja2 template rendering to prevent execution of arbitrary OS commands.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows any authenticated user to execute arbitrary OS commands on the server, potentially leading to full system compromise.

Such a compromise could result in unauthorized access to sensitive data, which may violate compliance requirements under standards like GDPR and HIPAA that mandate protection of personal and health information.

Therefore, this vulnerability poses a significant risk to maintaining compliance with these regulations due to the potential for data breaches and loss of data integrity.

Useful 0 Not Useful 0