DEV Community

razashariff
razashariff

Posted on

DVRAG: The First Deliberately Vulnerable RAG Pipeline for Security Testing

#owasp #rag #ai #security

25 vulnerabilities. 15 challenges. 22 API endpoints. Every one mapped to the OWASP RAG Security Cheat Sheet (submitted, PR #2131).

RAG Has an Attack Surface Nobody Is Testing in detail.

Every enterprise AI chatbot, copilot, and knowledge assistant uses Retrieval-Augmented Generation (RAG). Documents go in. Answers come out. Between those two steps is an attack surface that most teams have never tested.

Document poisoning. Cross-tenant data leakage. Embedding inversion. Cache poisoning. Prompt injection via retrieved content. Tool execution from model output. None of these are theoretical. They are happening in production.

The problem: there was nowhere to practice attacking a RAG pipeline safely. DVWA exists for web apps. DVMCP exists for MCP servers. Nothing existed for RAG.

So we built DVRAG.

What Is DVRAG

DVRAG is a deliberately insecure RAG pipeline. Pull the Docker image, run it, and start attacking. Every vulnerability is intentional, documented, and mapped to the attack surfaces seen in the wild.

Live at: dvrag.com

Source: Private (Docker image available)

25 Deliberate Vulnerabilities

Every vulnerability maps to a section of the OWASP RAG Security Cheat Sheet (submitted, PR #2131) and a CWE:

Document Poisoning (CWE-345)
No content scanning on ingestion. 3 poisoned documents in the corpus actively override system behaviour. Adversarial content accepted without validation.

Cross-Tenant Data Leakage (CWE-200)
Flat namespace. Tenant A retrieves Tenant B data freely. No isolation. No encryption at rest.

Admin Auth Bypass (CWE-798)
Hardcoded credentials (admin/rag123). No session management. No MFA. Config and credentials exposed without authentication.

Query Injection (CWE-74)
Raw queries to vector search. Similarity scores exposed. No input normalisation.

Output Validation (CWE-200)
Raw model output returned. No PII filtering. Secrets, PHI, and insider trading data exposed in responses.

Tool Execution (CWE-862)
6 tools callable from model output: transfer_funds, delete_record, export_data, send_email, modify_permissions, execute_code. Zero authorisation.

Cache Poisoning (CWE-524)
Shared cache across all tenants. No invalidation. One user poisons results for everyone.

SSRF (CWE-918)
Fetch endpoint follows any URL including cloud metadata and internal services.

Path Traversal (CWE-22)
Document export allows reading arbitrary files via ../ sequences.

Embedding Inversion (CWE-200)
Raw embedding vectors and embedding function exposed via API.

Bulk Injection (CWE-354)
Entire corpus can be poisoned in a single bulk request. No rate limiting, no validation.

System Prompt Leakage (CWE-200)
Full model configuration, system prompt, and vector DB credentials exposed.

No Monitoring (CWE-778)
Console.log only. No structured logging, no audit trail, no alerting.

Fail-Open (CWE-636)
Pipeline answers from model memory when retrieval fails. Hallucinated responses served without grounding.

Plus: tenant enumeration, re-ranking manipulation, metadata injection, chunking boundary attacks, token exhaustion, multi-hop poisoning, semantic cache poisoning.

15 CTF Challenges

Three difficulty levels. Each challenge maps to a real-world attack scenario:

Easy

  • Cross-tenant data theft
  • Indirect prompt injection
  • Secret extraction
  • PHI/PII exposure
  • Admin panel access
  • Document injection
  • Model config exfiltration

Medium

  • Tool execution from query
  • Cache poisoning across users
  • Insider trading intel extraction
  • Breach notification draft access

Hard

  • Embedding inversion attack
  • Privilege escalation via metadata
  • Multi-hop data exfiltration
  • Whistleblower identity extraction

22 API Endpoints

All unauthenticated. All exploitable.

  • POST /query -- RAG query (cross-tenant, no auth)
  • POST /ingest -- inject single document
  • POST /ingest/bulk -- mass corpus poisoning
  • POST /search -- vector search with exposed scores
  • POST /embed -- generate embedding for any text
  • POST /fetch -- SSRF to any URL
  • POST /debug/prompt -- view constructed prompt
  • POST /admin/login -- hardcoded credentials
  • GET /admin/config -- full config without auth
  • GET /admin/export -- dump everything
  • GET /corpus -- all documents exposed
  • GET /embeddings -- raw vectors
  • GET /config -- model params and system prompt
  • GET /cache -- other users responses
  • GET /export/:id -- path traversal
  • GET /pipeline -- full architecture exposed
  • GET /tenants -- enumerate all tenants
  • GET /threat-model -- JSON threat model
  • GET /challenges -- CTF challenge list
  • DELETE /corpus/:id -- delete without auth
  • DELETE /cache -- clear cache without auth

Real-World CVEs and Research

The vulnerabilities in DVRAG are real in the wild. They mirror real CVEs and documented research:

  • CVE-2025-68664 (CVSS 9.3) -- LangChain serialisation RCE via prompt injection
  • CVE-2025-1793 -- LlamaIndex SQL injection via vector store integrations
  • CVE-2025-64513 -- Milvus vector DB authentication bypass
  • PoisonedRAG (USENIX 2025) -- 5 poisoned docs in 1M corpus achieves 90% attack success
  • MS 365 Copilot -- real-world RAG poisoning demonstrated by Johann Rehberger

Threat Model

DVRAG includes a full threat model with 9 attack surfaces, 5 attacker goals, and a JSON API at /threat-model:

ATTACKER                    RAG PIPELINE                    IMPACT

[Poisoned Docs] ------> [ Ingestion ] --> [ Vector Store ]
                          No scanning      Flat namespace
                          No hashing       No isolation

[Crafted Query] ------> [ Retrieval ] --> [ Generation ]
                          No auth check    Follows poison
                          Scores exposed   No output filter

[Any Request] --------> [ Admin/Config ] --> [ Cache ]
                          Hardcoded creds    Shared (no scope)
                          No session mgmt    Cross-tenant leak
Enter fullscreen mode Exit fullscreen mode

Scan It

Point your security scanner at dvrag.com and see what it finds. Or use it as a validation target in CI/CD to verify your RAG security scanner catches expected vulnerabilities.

# Docker
docker pull cybersecai/dvrag:latest
docker run -p 3002:3002 cybersecai/dvrag

# Or hit the live instance
curl -X POST https://dvrag.com/query \
  -H 'Content-Type: application/json' \
  -d '{"query":"merger plans","tenantId":"globex","userId":"attacker"}'
Enter fullscreen mode Exit fullscreen mode

Use It For

  • Penetration testing -- practice RAG attacks in a safe environment
  • Red team training -- 15 challenges across 3 difficulty levels
  • Scanner validation -- verify your tools find expected vulnerabilities
  • Developer education -- see what NOT to do before building production RAG
  • CTF competitions -- ready-made challenges with hints
  • Compliance testing -- validate your RAG pipeline against OWASP guidance

Built By CyberSecAI

Raza Sharif
CEO, CyberSecAI Ltd
contact@agentsign.dev

See also: DVMCP (Damn Vulnerable MCP Server)

Live: dvrag.com

Top comments (0)