Primary

Context

Infiniflow RagFlow Remote Code Execution Vulnerability

Vulnerability

Patched

A remote code execution vulnerability exists in Infiniflow RagFlow version 0.12.0. The issue arises because the RPC server uses a hard-coded AuthKey that can be easily retrieved by attackers, allowing them to join group communications without restrictions. Furthermore, the server is vulnerable to remote code execution due to pickle deserialization of incoming data, which is processed using 'pickle.loads()' on 'connection.recv()'.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where RagFlow is running.

Remediation

Users can upgrade to Infiniflow RagFlow version 0.14.0 or later to address this vulnerability.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

5.3

remediation

7.7

relevance

0.0

threat

3.3

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

5.3

remediation

7.7

relevance

0.0

threat

3.3

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Infiniflow RagFlow Remote Code Execution Vulnerability

Vulnerability

Impact

Remediation

Affected Products

infiniflow/ragflow

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating