Unrated severityNVD Advisory· Published Oct 19, 2024· Updated Oct 15, 2025
Remote Code Execution in infiniflow/ragflow
CVE-2024-10131
Description
The add_llm function in llm_app.py in infiniflow/ragflow version 0.11.0 contains a remote code execution (RCE) vulnerability. The function uses user-supplied input req['llm_factory'] and req['llm_name'] to dynamically instantiate classes from various model dictionaries. This approach allows an attacker to potentially execute arbitrary code due to the lack of comprehensive input validation or sanitization. An attacker could provide a malicious value for 'llm_factory' that, when used as an index to these model dictionaries, results in the execution of arbitrary code.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: ==0.11.0
- infiniflow/infiniflow/ragflowv5Range: unspecified
Patches
Vulnerability mechanics
References
1News mentions
0No linked articles in our index yet.