WeKnora: SSRF via Redirection

WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.12, the application's "Import document via URL" feature is vulnerable to Server-Side Request Forgery (SSRF) through HTTP redirects. While the backend implements comprehensive URL validation (blocking private IPs, loopback addresses, reserved hostnames, and cloud metadata endpoints), it fails to validate redirect targets. An attacker can bypass all protections by using a redirect chain, forcing the server to access internal services. Additionally, Docker-specific internal addresses like host.docker.internal are not blocked. This issue has been patched in version 0.2.12.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

服务端请求伪造(SSRF)

WeKnora 代码问题漏洞

WeKnora是Tencent开源的一个基于LLM的框架，具有使用RAG范式进行深度文档理解、语义检索和上下文感知答案等功能。 WeKnora 0.2.12之前版本存在代码问题漏洞，该漏洞源于通过URL导入文档功能存在服务端请求伪造，可能通过HTTP重定向链绕过所有保护措施，强制服务器访问内部服务。

N/A

N/A