Account Takeover Vulnerability in RAGFlow by Infiniflow
CVE-2025-48187

9.8CRITICAL

Key Information:

Vendor: Infiniflow
Status: Ragflow
Vendor: CVE Published:; 17 May 2025

What is CVE-2025-48187?

RAGFlow, a product by Infiniflow, is vulnerable to account takeover attacks due to a flaw in its email verification process. This vulnerability allows attackers to exploit weak rate limiting controls, enabling them to successfully conduct brute-force attacks against email verification codes. The verification codes, consisting of six digits, can be targeted to manipulate account registration, logins, and password resets. Without effective rate limiting measures in place, unauthorized parties may easily compromise user accounts, posing significant risks to user security and data integrity.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

RAGFlow 0 <= 0.18.1

References

https://github.com/infiniflow/ragflow/commits/main/

https://www.cnblogs.com/qiushuo/p/18881084

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 17, 2025
Vulnerability Reserved
May 16, 2025

JSON

Infiniflow

What is CVE-2025-48187?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.