A critical "Zip Slip" vulnerability exists in the RAGFlow open-source engine, which could allow an unauthenticated remote attacker to gain full control of the server. By uploading a specially crafted ZIP archive, an attacker can overwrite arbitrary files, leading to remote code execution. This vulnerability poses a severe risk of complete system compromise, data breach, and service disruption.

The vulnerability is a path traversal flaw, commonly known as "Zip Slip," within the MinerUParser class. The _extract_zip_no_root function responsible for extracting ZIP archives fails to properly sanitize or validate the file paths contained within the archive. An attacker can create a malicious ZIP file containing entries with path traversal sequences (e.g., ../../../../path/to/malicious_file.sh). When the RAGFlow application processes this archive, it will extract the file outside of the intended destination directory, allowing the attacker to overwrite sensitive system files, such as shell configuration files, web server executables, or SSH authorized keys, ultimately leading to remote code execution on the underlying server.

This vulnerability is rated as critical with a CVSS score of 9.8, reflecting the high potential for severe business impact. Successful exploitation grants an attacker complete control over the affected server, enabling them to execute arbitrary commands. This could lead to the theft or destruction of sensitive data, deployment of ransomware, disruption of business-critical services, and use of the compromised system to launch further attacks against the internal network. The potential consequences include significant financial losses, reputational damage, and regulatory penalties related to data breaches.

Immediate Action: Immediately upgrade all RAGFlow instances to a patched version that incorporates the fix from commit 64c75d558e4a17a4a48953b4c201526431d8338f or a subsequent official release. After patching, review system logs and file integrity to detect any signs of prior compromise.

Proactive Monitoring:

• Monitor web server and application logs for suspicious ZIP file upload attempts, particularly those that result in errors or unexpected behavior.
• Implement file integrity monitoring (FIM) on critical system directories to alert on unauthorized changes.
• Monitor for unusual process execution, outbound network connections, or newly created user accounts on the RAGFlow server, which could indicate a successful compromise.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:

• Use a Web Application Firewall (WAF) with rules designed to inspect and block file uploads containing path traversal sequences.
• Run the RAGFlow application as a low-privilege user to limit the scope of files that can be overwritten.
• Segment the RAGFlow server from other critical network resources to contain the potential impact of a breach.

Public Exploit Available: false

Given the critical severity (CVSS 9.8) and the potential for complete system compromise, we strongly recommend that organizations prioritize the immediate patching of this vulnerability. The risk of remote code execution presents a direct threat to the confidentiality, integrity, and availability of the affected system and the data it processes. Although this CVE is not currently listed on the CISA KEV catalog, its critical nature warrants treatment as an urgent and immediate threat.