CVE-2024-12450

In infiniflow/ragflow versions 0.12.0, the `web_crawl` function in `document_app.py` contains multiple vulnerabilities. The function does not filter URL parameters, allowing attackers to exploit Full Read SSRF by accessing internal network addresses and viewing their content through the generated PDF files. Additionally, the lack of restrictions on the file protocol enables Arbitrary File Read, allowing attackers to read server files. Furthermore, the use of an outdated Chromium headless version with --no-sandbox mode enabled makes the application susceptible to Remote Code Execution (RCE) via known Chromium v8 vulnerabilities. These issues are resolved in version 0.14.0.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/infiniflow/ragflow/commit/3faae0b2c2f8a26233ee1442ba04874b3406f6e9	Patch
https://huntr.com/bounties/da06360c-87c3-4ba9-be67-29f6eff9d44a	Exploit
https://huntr.com/bounties/da06360c-87c3-4ba9-be67-29f6eff9d44a	Exploit

Configurations

Configuration 1 (hide)

cpe:2.3:a:infiniflow:ragflow:0.12.0:*:*:*:*:*:*:*

History

04 Apr 2025, 09:15

Type	Values Removed	Values Added
CWE	~~CWE-77~~

01 Apr 2025, 20:35

Type	Values Removed	Values Added
References	~~() https://github.com/infiniflow/ragflow/commit/3faae0b2c2f8a26233ee1442ba04874b3406f6e9 -~~	() https://github.com/infiniflow/ragflow/commit/3faae0b2c2f8a26233ee1442ba04874b3406f6e9 - Patch
References	~~() https://huntr.com/bounties/da06360c-87c3-4ba9-be67-29f6eff9d44a -~~	() https://huntr.com/bounties/da06360c-87c3-4ba9-be67-29f6eff9d44a - Exploit
Summary		(es) En las versiones 0.12.0 de infiniflow/ragflow, la función `web_crawl` en `document_app.py` contiene múltiples vulnerabilidades. Esta función no filtra los parámetros de URL, lo que permite a los atacantes explotar la SSRF de lectura completa accediendo a direcciones de red internas y visualizando su contenido a través de los archivos PDF generados. Además, la ausencia de restricciones en el protocolo de archivos permite la lectura arbitraria de archivos, lo que permite a los atacantes leer archivos del servidor. Asimismo, el uso de una versión desactualizada de Chromium sin interfaz gráfica con el modo --no-sandbox habilitado hace que la aplicación sea susceptible a la ejecución remota de código (RCE) a través de vulnerabilidades conocidas de Chromium v8. Estos problemas se han resuelto en la versión 0.14.0.
CWE		CWE-918
First Time		Infiniflow ragflow Infiniflow
CVSS	v2 : ~~unknown~~ v3 : ~~6.5~~	v2 : unknown v3 : 9.8
CPE		cpe:2.3:a:infiniflow:ragflow:0.12.0:::::::*

20 Mar 2025, 16:15

Type	Values Removed	Values Added
References	~~() https://huntr.com/bounties/da06360c-87c3-4ba9-be67-29f6eff9d44a -~~	() https://huntr.com/bounties/da06360c-87c3-4ba9-be67-29f6eff9d44a -

20 Mar 2025, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-20 10:15

Updated : 2025-04-04 09:15

NVD link : CVE-2024-12450

Mitre link : CVE-2024-12450

CVE.ORG link : CVE-2024-12450

JSON object : View

Products Affected

infiniflow

ragflow

CWE

CWE-918

Server-Side Request Forgery (SSRF)

9.8 /10