# RAGFlow — SSRF filter bypass via DNS rebinding TOCTOU
STATUS: ALMOST_REPORT (needs investigation; do not submit)
readiness: NEEDS_INVESTIGATION
program: RAGFlow | platform: huntr | repo: infiniflow/ragflow | commit: 2026-02-12-scan

````
Repository URL: https://github.com/infiniflow/ragflow
Package Manager: poetry/pip
Version Affected: latest (observed in 2026-02-12 scan)
Vulnerability Type: Server-Side Request Forgery (SSRF)
CVSS:
  Attack Vector: Network
  Attack Complexity: High
  Privileges Required: Low
  User Interaction: None
  Scope: Changed
  Confidentiality: High
  Integrity: Low
  Availability: Low
Title: is_valid_url can be bypassed through DNS rebinding between validation and fetch
Impact: Bypasses intended SSRF protections and can expose metadata services/internal APIs, potentially leading to credential theft and internal reconnaissance.
Description:

# Description

RAGFlow URL validation resolves hostnames to reject private/internal IPs, but request execution performs a separate DNS resolution later. This creates a TOCTOU window where DNS rebinding can pass validation on first resolution and route the actual request to an internal target on second resolution.

# Proof of Concept

1. Host a rebinding domain that alternates between public IP and internal IP target.
2. Submit URL to a feature using `is_valid_url` (e.g., crawl/parse flow).
3. Ensure validation phase resolves to public IP.
4. During fetch phase, DNS answer rebinds to internal IP (e.g., 169.254.169.254).

Expected vulnerable behavior: request passes URL validation but is ultimately sent to internal destination.

### Impact

Bypasses intended SSRF protections and can expose metadata services/internal APIs, potentially leading to credential theft and internal reconnaissance.

### Occurrences

```
Permalink: https://github.com/infiniflow/ragflow/blob/main/api/utils/web_utils.py#L159
Description: URL validation relies on resolution that can diverge from subsequent request resolution (TOCTOU)
```

### References

```
URL: https://cwe.mitre.org/data/definitions/367.html
Name: CWE-367: Time-of-check Time-of-use Race Condition

URL: https://cwe.mitre.org/data/definitions/918.html
Name: CWE-918: SSRF

URL: https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
Name: OWASP SSRF
```

Occurrences:
  Permalink: https://github.com/infiniflow/ragflow/blob/main/api/utils/web_utils.py#L159
  Description: URL validation relies on resolution that can diverge from subsequent request resolution (TOCTOU)
References:
  URL: https://cwe.mitre.org/data/definitions/367.html
  Name: CWE-367: Time-of-check Time-of-use Race Condition
  URL: https://cwe.mitre.org/data/definitions/918.html
  Name: CWE-918: SSRF
  URL: https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
  Name: OWASP SSRF
````