Ragflow
CVE-2024-53450
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from Vendor (mitre) · only source for this CVE.
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
RAGFlow 0.13.0 suffers from improper access control in document-hooks.ts, allowing unauthorized access to user documents.
AnalysisAI
RAGFlow 0.13.0 suffers from improper access control in document-hooks.ts, allowing unauthorized access to user documents. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified as Out-of-bounds Read (CWE-125), which allows attackers to read data from memory outside the intended buffer boundaries. RAGFlow 0.13.0 suffers from improper access control in document-hooks.ts, allowing unauthorized access to user documents. Affected products include: Infiniflow Ragflow.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate array indices and buffer lengths. Use memory-safe languages. Enable AddressSanitizer during testing.
A vulnerability in infiniflow/ragflow versions v0.12.0 allows for remote code execution. Rated critical severity (CVSS 9
Path traversal vulnerability in RAGFlow RAG engine version 0.23.1 allows unauthenticated attackers to read arbitrary fil
In infiniflow/ragflow versions 0.12.0, the `web_crawl` function in `document_app.py` contains multiple vulnerabilities.
RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. Rated high severity (CVSS 8.9), this vulnerabilit
The `add_llm` function in `llm_app.py` in infiniflow/ragflow version 0.11.0 contains a remote code execution (RCE) vulne
RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine based on deep document understanding. Rated high s
A Server-Side Request Forgery (SSRF) vulnerability exists in infiniflow/ragflow version 0.12.0. Rated high severity (CVS
A vulnerability in infiniflow/ragflow version RAGFlow-0.13.0 allows for partial account takeover via insecure data query
An XSS vulnerability in infiniflow/ragflow version 0.12.0 allows an attacker to upload a malicious PDF file to the knowl
Stored XSS in RAGFlow before 0.26.3 enables cross-user JavaScript execution through unsanitized agent pipeline node name
RAGFlow through 0.18.1 allows account takeover because it is possible to conduct successful brute-force attacks against
In infiniflow/ragflow version v0.12.0, there is an improper authentication vulnerability that allows a user to view anot
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today