RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In version 0.23.1 and possibly earlier versions, the MinerU parser contains a "Zip Slip" vulnerability, allowing an attacker to overwrite arbitrary files on the server (leading to Remote Code Execution) via a malicious ZIP archive. The MinerUParser class retrieves and extracts ZIP files from an external source (mineru_server_url). The extraction logic in `_extract_zip_no_root` fails to sanitize filenames within the ZIP archive. Commit 64c75d558e4a17a4a48953b4c201526431d8338f contains a patch for the issue.
The MinerUParser class downloads and extracts ZIP archives from an external source specified by the mineru_server_url parameter. The _extract_zip_no_root function responsible for extraction does not perform sanitization of filenames contained in the ZIP archive. An attacker can provide a malicious ZIP archive containing paths with path traversal sequences (e.g., '../../'), which allows writing files outside the intended target directory and overwriting arbitrary system or application files, leading to code execution.
An attacker without any authentication can overwrite arbitrary files on the server, which consequently enables full remote code execution (RCE) and takeover of server control.
RAGFlow should be updated to a version containing the fix introduced in commit 64c75d558e4a17a4a48953b4c201526431d8338f. Details available in vendor references (GitHub Security Advisory GHSA-v7cf-w7gj-pgf4).
Infiniflow RAGFlow version 0.23.1 and likely earlier versions
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HInfiniflow Ragflow
APPInfiniflow≤ 0.23.1
Related vulnerabilities
Przejęcie konta w RAGFlow poprzez brute-force kodów weryfikacyjnych
Infiniflow RAGflow: SSRF, Arbitrary File Read i RCE w funkcji web_crawl
RCE w Infiniflow RagFlow — statyczny klucz AuthKey i niebezpieczna deserializacja pickle
RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions 0.24.0 and prior, a Server-...
RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions prior to 0.23.0, a low-priv...