Technical description
A Jinja2 Server-Side Template Injection (SSTI) vulnerability in RAGFlow's prompt generator (rag/prompts/generator.py) allows any authenticated user — including a normally-registered free account — to execute arbitrary OS commands on the host server. Exploitation requires only that a user create a Canvas workflow with a DuckDuckGo + LLM component chain; import alone is sufficient to trigger code execution. CVSS score is 9.9 (Critical). RAGFlow is an open-source RAG engine with over 52,000 GitHub stars.
Attack vector
Authenticated web user creates or imports a crafted Canvas workflow; the prompt generator renders the Jinja2 template unsandboxed, allowing OS command injection via Python's `os.popen` through the Jinja2 `cycler.__init__.__globals__` chain. Does not require administrator privileges — any registered user suffices.
Affected systems
RAGFlow versions 0.24.0 and earlier (open-source RAG engine, infiniflow/ragflow on GitHub). Self-hosted deployments only. Cloud-managed deployments may vary by provider configuration.
Mitigation
Upgrade to a patched version (see GHSA-wpg4-h5g2-jxm6). If immediate upgrade is not possible, disable Canvas workflow creation by untrusted users, enforce network-level isolation for RAGFlow servers, and apply the principle of least privilege so the RAGFlow process does not run as root. Review server logs for unusual subprocess invocations from the ragflow process.