CRITICAL🇵🇱 Wersja polska

CVE-2024-12433

CVSS 9.8v3.0pub. 2025-03-20upd. 2025-07-14

A vulnerability in infiniflow/ragflow versions v0.12.0 allows for remote code execution. The RPC server in RagFlow uses a hard-coded AuthKey 'authkey=b'infiniflow-token4kevinhu'' which can be easily fetched by attackers to join the group communication without restrictions. Additionally, the server processes incoming data using pickle deserialization via `pickle.loads()` on `connection.recv()`, making it vulnerable to remote code execution. This issue is fixed in version 0.14.0.

🤖 AI Analysis
How it works

The RPC server in RagFlow uses a hardcoded AuthKey with the value 'infiniflow-token4kevinhu', which an attacker can easily obtain and use to join group communication without any restrictions. After gaining access, the attacker sends crafted data to the server, which is then processed by the `pickle.loads()` function on data received via `connection.recv()`. Deserialization of untrusted data using pickle (CWE-502) allows embedding arbitrary code in the payload that is executed on the server side.

Impact

An unauthenticated remote attacker can execute arbitrary code on the server, leading to complete system compromise, data theft, and violation of confidentiality, integrity, and availability of the service.

Mitigation & patch

Update Infiniflow RagFlow to version 0.14.0, in which the issue has been fixed according to the manufacturer's information.

Who is affected

Infiniflow RagFlow in version v0.12.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Infiniflow Ragflow

    APP
    Infiniflow
    0.12.0 – 0.14.0 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEDeserialization
CWE
References

Related vulnerabilities

CVE-2026-24770CRITICAL9.8PL ✓ten sam produkt

Zip Slip RCE w RAGFlow — nadpisanie plików przez złośliwe archiwum ZIP

CVE-2025-48187CRITICAL9.1PL ✓ten sam produkt

Przejęcie konta w RAGFlow poprzez brute-force kodów weryfikacyjnych

CVE-2024-12450CRITICAL9.8PL ✓ten sam produkt

Infiniflow RAGflow: SSRF, Arbitrary File Read i RCE w funkcji web_crawl

CVE-2026-28797HIGH8.7ten sam produkt

RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions 0.24.0 and prior, a Server-...

CVE-2025-69286HIGH8.9ten sam produkt

RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions prior to 0.22.0, the use of...