VYPR
Unrated severityNVD Advisory· Published Mar 20, 2025· Updated Mar 20, 2025

Remote Code Execution in infiniflow/ragflow

CVE-2024-12433

Description

A vulnerability in infiniflow/ragflow versions v0.12.0 allows for remote code execution. The RPC server in RagFlow uses a hard-coded AuthKey 'authkey=b'infiniflow-token4kevinhu'' which can be easily fetched by attackers to join the group communication without restrictions. Additionally, the server processes incoming data using pickle deserialization via pickle.loads() on connection.recv(), making it vulnerable to remote code execution. This issue is fixed in version 0.14.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Range: <=0.12.0
  • infiniflow/infiniflow/ragflowv5
    Range: unspecified

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.