Skip to main content

Ragflow CVE-2024-53450

HIGH
Out-of-bounds Read (CWE-125)
2024-12-09 cve@mitre.org
7.5
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from Vendor (mitre) · only source for this CVE.

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Dec 09, 2024 - 17:15 cve.org
HIGH 7.5

DescriptionCVE.org

RAGFlow 0.13.0 suffers from improper access control in document-hooks.ts, allowing unauthorized access to user documents.

AnalysisAI

RAGFlow 0.13.0 suffers from improper access control in document-hooks.ts, allowing unauthorized access to user documents. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Out-of-bounds Read (CWE-125), which allows attackers to read data from memory outside the intended buffer boundaries. RAGFlow 0.13.0 suffers from improper access control in document-hooks.ts, allowing unauthorized access to user documents. Affected products include: Infiniflow Ragflow.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate array indices and buffer lengths. Use memory-safe languages. Enable AddressSanitizer during testing.

CVE-2024-12433 CRITICAL POC
9.8 Mar 20

A vulnerability in infiniflow/ragflow versions v0.12.0 allows for remote code execution. Rated critical severity (CVSS 9

CVE-2026-24770 CRITICAL POC
9.8 Jan 27

Path traversal vulnerability in RAGFlow RAG engine version 0.23.1 allows unauthenticated attackers to read arbitrary fil

CVE-2024-12450 CRITICAL POC
9.8 Mar 20

In infiniflow/ragflow versions 0.12.0, the `web_crawl` function in `document_app.py` contains multiple vulnerabilities.

CVE-2025-27135 HIGH POC
8.9 Feb 25

RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. Rated high severity (CVSS 8.9), this vulnerabilit

CVE-2024-10131 HIGH POC
8.8 Oct 19

The `add_llm` function in `llm_app.py` in infiniflow/ragflow version 0.11.0 contains a remote code execution (RCE) vulne

CVE-2025-25282 HIGH POC
8.1 Feb 21

RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine based on deep document understanding. Rated high s

CVE-2024-12779 HIGH POC
7.5 Mar 20

A Server-Side Request Forgery (SSRF) vulnerability exists in infiniflow/ragflow version 0.12.0. Rated high severity (CVS

CVE-2024-12880 MEDIUM POC
6.5 Mar 20

A vulnerability in infiniflow/ragflow version RAGFlow-0.13.0 allows for partial account takeover via insecure data query

CVE-2024-12871 MEDIUM POC
5.4 Mar 20

An XSS vulnerability in infiniflow/ragflow version 0.12.0 allows an attacker to upload a malicious PDF file to the knowl

CVE-2026-58579 MEDIUM POC
5.1 Jul 02

Stored XSS in RAGFlow before 0.26.3 enables cross-user JavaScript execution through unsanitized agent pipeline node name

CVE-2025-48187 CRITICAL POC
9.1 May 17

RAGFlow through 0.18.1 allows account takeover because it is possible to conduct successful brute-force attacks against

CVE-2024-12869 MEDIUM POC
4.3 Mar 20

In infiniflow/ragflow version v0.12.0, there is an improper authentication vulnerability that allows a user to view anot

Share

CVE-2024-53450 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy