Unrated severityNVD Advisory· Published Feb 25, 2025· Updated Feb 25, 2025

RAGFlow SQL Injection vulnerability

CVE-2025-27135

Description

RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. Versions 0.15.1 and prior are vulnerable to SQL injection. The ExeSQL component extracts the SQL statement from the input and sends it directly to the database query. As of time of publication, no patched version is available.

Affected products

Infiniflow/Ragflowv5
Range: <= 0.15.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/infiniflow/ragflow/blob/v0.15.1/agent/component/exesql.pymitrex_refsource_MISC
github.com/infiniflow/ragflow/security/advisories/GHSA-3gqj-66qm-25jqmitrex_refsource_CONFIRM
swizzky.notion.site/ragflow-exesql-150ca6df7c03806989cefde915cf8e42mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000