RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In 0.24.0 and earlier, a Jinja2 template injection in the prompt generator (rag/prompts/generator.py) allows any authenticated user to execute arbitrary OS commands on the server. Any normal user can register, create a Canvas workflow with a DuckDuckGo + LLM component chain, and trigger the SSTI.
The file rag/prompts/generator.py processes user input using the Jinja2 template engine without proper sanitization, resulting in a CWE-1336 vulnerability (improper neutralization of special elements in templates). An attacker creates a Canvas workflow containing a DuckDuckGo component connected to an LLM component and injects a malicious Jinja2 payload into the prompt field. Upon workflow execution, the server evaluates the template, leading to execution of embedded system commands. The vulnerability does not require elevated privileges – a regular user account is sufficient.
An attacker can gain full control over the server by remotely executing arbitrary operating system commands (RCE), enabling data theft, backdoor installation, privilege escalation, and compromise of confidentiality, integrity, and availability of the entire system. Due to the scope of impact (Scope: Changed in CVSS vector), the consequences may extend beyond the directly affected application component.
Apply patches available from the vendor according to the references (GHSA-wpg4-h5g2-jxm6 advisory on GitHub). Until the update is applied, it is recommended to restrict new user registration and monitor activity in the Canvas module. If RAGFlow is publicly exposed, consider temporarily blocking access or placing the instance behind a firewall/VPN.
RAGFlow (open-source, infiniflow/ragflow project) versions 0.24.0 and earlier
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H