- Description
- RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine based on deep document understanding. An authenticated user can exploit the Insecure Direct Object Reference (IDOR) vulnerability that may lead to unauthorized cross-tenant access (list tenant user accounts, add user account into other tenant). Unauthorized cross-tenant access: list user from other tenant (e.g., via GET /<tenant_id>/user/list), add user account to other tenant (POST /<tenant_id>/user). This issue has not yet been patched. Users are advised to reach out to the project maintainers to coordinate a fix.
- Source
- security-advisories@github.com
- NVD status
- Received
CVSS 3.0
- Type
- Secondary
- Base score
- 8.1
- Impact score
- 5.2
- Exploitability score
- 2.8
- Vector string
- CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
- Severity
- HIGH
- security-advisories@github.com
- CWE-639
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
1
🚨 CVE-2025-25282 🔴 HIGH (8.1) 🏢 infiniflow - ragflow 🏗️ <= 0.13.0 🔗 https://t.co/D4XKnvgwub #CyberCron #VulnAlert https://t.co/NUmhGDtojK
@cybercronai
22 Feb 2025
11 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-25282 02/21/2025 09:15:23 PM BaseSeverity: HIGH RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine based on deep document understanding. An authenticated user can exploit ... https://t.co/vRMl0kgaQj
@CVETracker
22 Feb 2025
14 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-25282 RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine based on deep document understanding. An authenticated user can exploit the Insecure Direct Obje… https://t.co/4YEg9OFAlX
@CVEnew
21 Feb 2025
459 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes