CVE-2024-12779

A Server-Side Request Forgery (SSRF) vulnerability exists in infiniflow/ragflow version 0.12.0. The vulnerability is present in the `POST /v1/llm/add_llm` and `POST /v1/conversation/tts` endpoints. Attackers can specify an arbitrary URL as the `api_base` when adding an `OPENAITTS` model, and subsequently access the `tts` REST API endpoint to read contents from the specified URL. This can lead to unauthorized access to internal web resources.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://huntr.com/bounties/3cc748ba-2afb-4bfe-8553-10eb6d6dd4f0	Exploit
https://huntr.com/bounties/3cc748ba-2afb-4bfe-8553-10eb6d6dd4f0	Exploit

Configurations

Configuration 1 (hide)

cpe:2.3:a:infiniflow:ragflow:0.12.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-03-20 10:15

Updated : 2025-04-01 20:34

NVD link : CVE-2024-12779

Mitre link : CVE-2024-12779

CVE.ORG link : CVE-2024-12779

JSON object : View

Products Affected

infiniflow

ragflow

CWE

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2024-12779", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}], "cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2025-03-20T10:15:30.600", "references": [{"url": "https://huntr.com/bounties/3cc748ba-2afb-4bfe-8553-10eb6d6dd4f0", "tags": ["Exploit"], "source": "[email protected]"}, {"url": "https://huntr.com/bounties/3cc748ba-2afb-4bfe-8553-10eb6d6dd4f0", "tags": ["Exploit"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "A Server-Side Request Forgery (SSRF) vulnerability exists in infiniflow/ragflow version 0.12.0. The vulnerability is present in the `POST /v1/llm/add_llm` and `POST /v1/conversation/tts` endpoints. Attackers can specify an arbitrary URL as the `api_base` when adding an `OPENAITTS` model, and subsequently access the `tts` REST API endpoint to read contents from the specified URL. This can lead to unauthorized access to internal web resources."}, {"lang": "es", "value": "Existe una vulnerabilidad de Server-Side Request Forgery (SSRF) en infiniflow/ragflow versi\u00f3n 0.12.0. La vulnerabilidad est\u00e1 presente en los endpoints `POST /v1/llm/add_llm` y `POST /v1/conversation/tts`. Los atacantes pueden especificar una URL arbitraria como `api_base` al agregar un modelo `OPENAITTS` y, posteriormente, acceder al endpoint de la API REST `tts` para leer el contenido de la URL especificada. Esto puede provocar acceso no autorizado a recursos web internos."}], "lastModified": "2025-04-01T20:34:50.027", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:infiniflow:ragflow:0.12.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6EDC17D5-855D-4564-ABB4-CED9A5E4F983"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}