Problem Description
POST /tools/call is exposed without any authentication, authorization, or tool-level allowlist. Combined with the default-registered shell tool, any unauthenticated network attacker who can reach the API port can execute arbitrary OS commands as the service user.
Steps to Reproduce
1.Start Langchain-Chatchat v0.3.1 following the official docs, with the API listening address.
2.Without any authentication or credentials, query the tool listing endpoint:
curl -s http:// x.x x.x:x /tools
Confirm that a shell tool entry is present in the response.
3.Without any authentication or credentials, send a POST request to /tools/call invoking the shell tool with a command that produces a persistent side effect on the server (e.g. writing a marker file under /tmp).
The full exploit payload has been disclosed privately via GitHub Security Advisory and is intentionally omitted from this public issue.
4.SSH (or otherwise log in) to the server running the service. Verify that the marker file specified in step 3 was created and inspect its contents.
5.Inspect the server logs for an Executing command: ... entry corresponding to the request.
Expected Result
1./tools/call should enforce authentication and authorization before invoking any tool. Unauthenticated requests should be rejected with 401 Unauthorized or 403 Forbidden.
2.High-risk tools such as shell (which execute arbitrary OS commands) should not be exposed through an unauthenticated HTTP endpoint. They should be disabled by default and only callable through authenticated internal channels after explicit opt-in.
3.The server log should not contain Executing command: ... entries triggered by anonymous HTTP requests.
Actual Result
1./tools/call accepts arbitrary anonymous requests with no authentication, authorization, or tool allowlist enforcement.
2.The marker file is created on disk.
Its contents are the genuine output of the command (e.g. for id: uid=1000(...) gid=1000(...) groups=...).
3.The server log shows both events together.
Environment Information
- Langchain-Chatchat v0.3.1
- Python version: 3.10
Additional Information
A unified PoC script demonstrating the vulnerabilities is available. Please contact [x1c251109@163.com] for the full PoC, detailed report, and reproduction steps.
Disclaimer
This report is submitted for responsible disclosure. The PoC is intended solely for authorized security testing and vulnerability validation by the Langchain-Chatchat maintainers.
Problem Description
POST /tools/call is exposed without any authentication, authorization, or tool-level allowlist. Combined with the default-registered shell tool, any unauthenticated network attacker who can reach the API port can execute arbitrary OS commands as the service user.
Steps to Reproduce
1.Start Langchain-Chatchat v0.3.1 following the official docs, with the API listening address.
2.Without any authentication or credentials, query the tool listing endpoint:
curl -s http:// x.x x.x:x /tools
Confirm that a shell tool entry is present in the response.
3.Without any authentication or credentials, send a POST request to /tools/call invoking the shell tool with a command that produces a persistent side effect on the server (e.g. writing a marker file under /tmp).
The full exploit payload has been disclosed privately via GitHub Security Advisory and is intentionally omitted from this public issue.
4.SSH (or otherwise log in) to the server running the service. Verify that the marker file specified in step 3 was created and inspect its contents.
5.Inspect the server logs for an Executing command: ... entry corresponding to the request.
Expected Result
1./tools/call should enforce authentication and authorization before invoking any tool. Unauthenticated requests should be rejected with 401 Unauthorized or 403 Forbidden.
2.High-risk tools such as shell (which execute arbitrary OS commands) should not be exposed through an unauthenticated HTTP endpoint. They should be disabled by default and only callable through authenticated internal channels after explicit opt-in.
3.The server log should not contain Executing command: ... entries triggered by anonymous HTTP requests.
Actual Result
1./tools/call accepts arbitrary anonymous requests with no authentication, authorization, or tool allowlist enforcement.
2.The marker file is created on disk.
Its contents are the genuine output of the command (e.g. for id: uid=1000(...) gid=1000(...) groups=...).
3.The server log shows both events together.
Environment Information
Additional Information
A unified PoC script demonstrating the vulnerabilities is available. Please contact [x1c251109@163.com] for the full PoC, detailed report, and reproduction steps.
Disclaimer
This report is submitted for responsible disclosure. The PoC is intended solely for authorized security testing and vulnerability validation by the Langchain-Chatchat maintainers.