| tiêu đề | Exploding Gradients ragas latest (commit 2b38724) Path Traversal / Server-Side Request Forgery (CWE-22 / CWE-918) |
|---|
| Mô tả | # Technical Details
An Incomplete Fix vulnerability exists in `src/ragas/metrics/collections/multi_modal_faithfulness/util.py` of ragas.
The security patch for CVE-2025-45691 was only applied to `src/ragas/prompt/multi_modal_prompt.py`, but the `collections/` module contains a parallel reimplementation of the same image processing logic that received zero security controls. The two vulnerable functions are `_try_process_local_file()` and `_try_process_url()`, both called via `process_image_to_base64()` for every item in user-supplied `retrieved_contexts`.
# Vulnerable Code
File: src/ragas/metrics/collections/multi_modal_faithfulness/util.py (lines 123-210)
Method: _try_process_local_file, _try_process_url
_try_process_local_file(): Opens any file path that exists on the filesystem without feature gate, no allowed directory, and no traversal check — any valid image file anywhere on the server can be read.
_try_process_url(): Passes URLs directly to `requests.get()` without DNS resolution or IP validation, allowing connections to 127.0.0.1, x.x.x.x, 10.x.x.x, or any internal address.
Note: multi_modal_relevance/util.py directly imports and reuses these same vulnerable functions.
# Reproduction
1. LFI: Send a POST request with a local file path in retrieved_contexts:
curl -s -X POST http://TARGET/evaluate -H 'Content-Type: application/json' -d '{"response":"test","retrieved_contexts":["/etc/shadow_image.png"]}'
The file content is base64-encoded and returned in the response (and sent to the LLM API).
2. SSRF: Send a POST request with an internal URL in retrieved_contexts:
curl -s -X POST http://TARGET/evaluate -H 'Content-Type: application/json' -d '{"response":"test","retrieved_contexts":["http://x.x.x.x/latest/meta-data/"]}'
# Impact
- Arbitrary File Read (LFI): Any image file on the server filesystem can be exfiltrated via base64-encoding into the LLM API call.
- SSRF: Server makes HTTP requests to internal services including cloud metadata endpoints (http://x.x.x.x/) for cloud credential theft.
- The patched multi_modal_prompt.py has 10 security controls; the collections/ module has zero — the fix is incomplete.
|
|---|
| Nguồn | ⚠️ https://gist.github.com/YLChen-007/3bbdef543d1cedced24c737bc39ac0d6 |
|---|
| Người dùng | Eric-y (UID 95889) |
|---|
| Đệ trình | 27/03/2026 13:09 (cách đây 23 ngày) |
|---|
| Kiểm duyệt | 19/04/2026 07:48 (23 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 358222 [vibrantlabsai RAGAS đến 0.4.3 Collections util.py _try_process_local_file/_try_process_url retrieved_contexts nâng cao đặc quyền] |
|---|
| điểm | 20 |
|---|