Account Takeover Vulnerability in RAGFlow by Infiniflow
CVE-2025-48187

9.1CRITICAL

Key Information:

Vendor: Infiniflow
Status: Ragflow
Vendor: CVE Published:; 17 May 2025

What is CVE-2025-48187?

RAGFlow, a product by Infiniflow, is vulnerable to account takeover attacks due to a flaw in its email verification process. This vulnerability allows attackers to exploit weak rate limiting controls, enabling them to successfully conduct brute-force attacks against email verification codes. The verification codes, consisting of six digits, can be targeted to manipulate account registration, logins, and password resets. Without effective rate limiting measures in place, unauthorized parties may easily compromise user accounts, posing significant risks to user security and data integrity.

Affected Version(s)

RAGFlow 0 <= 0.18.1

References

https://github.com/infiniflow/ragflow/commits/main/

https://www.cnblogs.com/qiushuo/p/18881084

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 17, 2025
Vulnerability Reserved
May 16, 2025