CVE-2024-12450

In infiniflow/ragflow versions 0.12.0, the `web_crawl` function in `document_app.py` contains multiple vulnerabilities. The function does not filter URL parameters, allowing attackers to exploit Full Read SSRF by accessing internal network addresses and viewing their content through the generated PDF files. Additionally, the lack of restrictions on the file protocol enables Arbitrary File Read, allowing attackers to read server files. Furthermore, the use of an outdated Chromium headless version with --no-sandbox mode enabled makes the application susceptible to Remote Code Execution (RCE) via known Chromium v8 vulnerabilities. These issues are resolved in version 0.14.0.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/infiniflow/ragflow/commit/3faae0b2c2f8a26233ee1442ba04874b3406f6e9	Patch
https://huntr.com/bounties/da06360c-87c3-4ba9-be67-29f6eff9d44a	Exploit
https://huntr.com/bounties/da06360c-87c3-4ba9-be67-29f6eff9d44a	Exploit

Configurations

Configuration 1 (hide)

cpe:2.3:a:infiniflow:ragflow:0.12.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-03-20 10:15

Updated : 2025-04-04 09:15

NVD link : CVE-2024-12450

Mitre link : CVE-2024-12450

CVE.ORG link : CVE-2024-12450

JSON object : View

Products Affected

infiniflow

ragflow

CWE

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2024-12450", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}], "cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2025-03-20T10:15:28.883", "references": [{"url": "https://github.com/infiniflow/ragflow/commit/3faae0b2c2f8a26233ee1442ba04874b3406f6e9", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://huntr.com/bounties/da06360c-87c3-4ba9-be67-29f6eff9d44a", "tags": ["Exploit"], "source": "[email protected]"}, {"url": "https://huntr.com/bounties/da06360c-87c3-4ba9-be67-29f6eff9d44a", "tags": ["Exploit"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-918"}]}, {"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "In infiniflow/ragflow versions 0.12.0, the `web_crawl` function in `document_app.py` contains multiple vulnerabilities. The function does not filter URL parameters, allowing attackers to exploit Full Read SSRF by accessing internal network addresses and viewing their content through the generated PDF files. Additionally, the lack of restrictions on the file protocol enables Arbitrary File Read, allowing attackers to read server files. Furthermore, the use of an outdated Chromium headless version with --no-sandbox mode enabled makes the application susceptible to Remote Code Execution (RCE) via known Chromium v8 vulnerabilities. These issues are resolved in version 0.14.0."}, {"lang": "es", "value": "En las versiones 0.12.0 de infiniflow/ragflow, la funci\u00f3n `web_crawl` en `document_app.py` contiene m\u00faltiples vulnerabilidades. Esta funci\u00f3n no filtra los par\u00e1metros de URL, lo que permite a los atacantes explotar la SSRF de lectura completa accediendo a direcciones de red internas y visualizando su contenido a trav\u00e9s de los archivos PDF generados. Adem\u00e1s, la ausencia de restricciones en el protocolo de archivos permite la lectura arbitraria de archivos, lo que permite a los atacantes leer archivos del servidor. Asimismo, el uso de una versi\u00f3n desactualizada de Chromium sin interfaz gr\u00e1fica con el modo --no-sandbox habilitado hace que la aplicaci\u00f3n sea susceptible a la ejecuci\u00f3n remota de c\u00f3digo (RCE) a trav\u00e9s de vulnerabilidades conocidas de Chromium v8. Estos problemas se han resuelto en la versi\u00f3n 0.14.0."}], "lastModified": "2025-04-04T09:15:15.207", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:infiniflow:ragflow:0.12.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6EDC17D5-855D-4564-ABB4-CED9A5E4F983"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}