RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In version 0.23.1 and possibly earlier versions, the MinerU parser contains a "Zip Slip" vulnerability, allowing an attacker to overwrite arbitrary files on the server (leading to Remote Code Execution) via a malicious ZIP archive. The MinerUParser class retrieves and extracts ZIP files from an external source (mineru_server_url). The extraction logic in `_extract_zip_no_root` fails to sanitize filenames within the ZIP archive. Commit 64c75d558e4a17a4a48953b4c201526431d8338f contains a patch for the issue.
References
| Link | Resource |
|---|---|
| https://github.com/infiniflow/ragflow/commit/64c75d558e4a17a4a48953b4c201526431d8338f | Patch |
| https://github.com/infiniflow/ragflow/security/advisories/GHSA-v7cf-w7gj-pgf4 | Exploit Vendor Advisory |
Configurations
History
30 Jan 2026, 21:53
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:infiniflow:ragflow:*:*:*:*:*:*:*:* | |
| First Time |
Infiniflow ragflow
Infiniflow |
|
| References | () https://github.com/infiniflow/ragflow/commit/64c75d558e4a17a4a48953b4c201526431d8338f - Patch | |
| References | () https://github.com/infiniflow/ragflow/security/advisories/GHSA-v7cf-w7gj-pgf4 - Exploit, Vendor Advisory |
27 Jan 2026, 22:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-01-27 22:15
Updated : 2026-01-30 21:53
NVD link : CVE-2026-24770
Mitre link : CVE-2026-24770
CVE.ORG link : CVE-2026-24770
JSON object : View
Products Affected
infiniflow
- ragflow
CWE
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')