Multiple Vulnerabilities in Infiniflow Ragflow Affecting Internal Network Security
CVE-2024-12450

9.8CRITICAL

Key Information:

Vendor

Infiniflow

Status
Infiniflow/ragflow
Vendor
CVE Published:
20 March 2025

What is CVE-2024-12450?

The web_crawl function in Infiniflow's Ragflow version 0.12.0 is exposed to critical security issues. It fails to filter URL parameters, enabling attackers to exploit Server-Side Request Forgery (SSRF) vulnerabilities. This flaw permits access to internal network resources that should be secured, leaking sensitive data through generated PDF files. Additionally, the application lacks restrictions on file protocols, which can result in Arbitrary File Read vulnerabilities, allowing unauthorized file access on the server. Compounding these security issues is the deployment of an outdated Chromium headless version operating in --no-sandbox mode, which heightens the risk of Remote Code Execution (RCE) through known vulnerabilities in Chromium's v8 engine. Users are advised to upgrade to version 0.14.0 where these vulnerabilities have been addressed.

Affected Version(s)

infiniflow/ragflow < 0.14.0

References

https://huntr.com/bounties/da06360c-87c3-4ba9-be67-29f6ef...
https://github.com/infiniflow/ragflow/commit/3faae0b2c2f8...

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

CVSS V3.0

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2024-12450 : Multiple Vulnerabilities in Infiniflow Ragflow Affecting Internal Network Security