infiniflow/ragflow
CVE-2024-10131 represents a critical Remote Code Execution (RCE) vulnerability discovered in infiniflow/ragflow, specifically within the add_llm function. This flaw allows attackers to potentially execute arbitrary code on systems running vulnerable versions (≤latest). The vulnerability stems from insufficient input validation when handling user-supplied data used to dynamically instantiate classes. Prompt patching is crucial to mitigate this risk.
The impact of CVE-2024-10131 is severe. An attacker can leverage the vulnerability to execute arbitrary code within the context of the ragflow application. This could lead to complete system compromise, including data exfiltration, malware installation, and denial of service. The ability to dynamically instantiate classes based on user input bypasses intended security controls, creating a direct pathway for malicious code execution. Successful exploitation could grant an attacker persistent access and control over the affected system, potentially leading to broader network compromise if the system has access to sensitive resources or internal networks.
CVE-2024-10131 was publicly disclosed on 2024-10-19. Currently, no public proof-of-concept (PoC) code has been released, but the vulnerability's nature suggests a relatively high probability of exploitation. It is not listed on the CISA KEV catalog as of this writing. The ease of exploitation, given the lack of input validation, warrants immediate attention and mitigation efforts.
Organizations deploying ragflow in production environments, particularly those with user-facing interfaces that accept LLM factory configurations, are at significant risk. Development teams using ragflow for rapid prototyping or experimentation should also prioritize patching to prevent accidental exposure of vulnerable code. Shared hosting environments where multiple users can potentially influence application configuration are especially vulnerable.
• python / application:
import os
import subprocess
def check_ragflow_version():
try:
result = subprocess.run(['pip', 'show', 'ragflow'], capture_output=True, text=True, check=True)
version = result.stdout.split('Version: ')[1].split('\n')[0]
if version <= '0.11.0':
print(f"Vulnerable version detected: {version}")
else:
print(f"Safe version detected: {version}")
except subprocess.CalledProcessError:
print("ragflow not installed.")
check_ragflow_version()• linux / server:
ps aux | grep -i ragflow• generic web:
Inspect HTTP requests to the addllm endpoint for suspicious values in the llmfactory parameter. Look for unusual characters or patterns that could indicate an attempt to inject malicious code.
disclosure
エクスプロイト状況
EPSS
2.97% (86% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2024-10131 is to upgrade to a patched version of ragflow as soon as it becomes available. Until a patch is applied, implement strict input validation on all user-supplied data, particularly the req['llmfactory'] and req['llmname'] parameters within the add_llm function. Consider implementing a Web Application Firewall (WAF) with rules to detect and block suspicious requests containing potentially malicious payloads. Regularly review and audit the ragflow configuration to ensure adherence to security best practices. Monitor application logs for any unusual activity or error messages related to class instantiation.
Actualice la biblioteca infiniflow/ragflow a una versión posterior a 0.11.0 que corrija la vulnerabilidad de ejecución remota de código. Verifique las notas de la versión para confirmar que la vulnerabilidad CVE-2024-10131 ha sido abordada. Si no hay una versión corregida disponible, considere implementar validación y sanitización de entradas en la función `add_llm` para mitigar el riesgo.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2024-10131 is a critical RCE vulnerability in infiniflow/ragflow versions up to 0.11.0. It allows attackers to execute arbitrary code by manipulating input parameters, potentially leading to system compromise.
If you are using ragflow version 0.11.0 or earlier, you are potentially affected by this vulnerability. Immediately assess your environment and apply the recommended mitigations.
The recommended fix is to upgrade to a patched version of ragflow as soon as it becomes available. Until then, implement strict input validation on user-supplied data.
While no public exploits are currently known, the vulnerability's ease of exploitation suggests a high probability of active exploitation. Monitor your systems closely.
Refer to the infiniflow/ragflow project's official repository and communication channels for updates and advisories regarding CVE-2024-10131.
requirements.txt ファイルをアップロードすると、影響の有無を即座にお知らせします。