← Back

CVE-2024-12779

nvd nist
Published: Mar 20, 2025Modified: Apr 1, 2025

JSON object

Loading...
7.5
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Exploitability: 3.9 / Impact: 3.6
Source: NVD

Description

A Server-Side Request Forgery (SSRF) vulnerability exists in infiniflow/ragflow version 0.12.0. The vulnerability is present in the `POST /v1/llm/add_llm` and `POST /v1/conversation/tts` endpoints. Attackers can specify an arbitrary URL as the `api_base` when adding an `OPENAITTS` model, and subsequently access the `tts` REST API endpoint to read contents from the specified URL. This can lead to unauthorized access to internal web resources.

Affected (1)

Products: Infiniflow: Ragflow
Infiniflow
1 product
Ragflow
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Ragflow
Version 0.12.0

Related CWEs

CWE-918
Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (2)

Source: security@huntr.dev
Exploit
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit

Timeline

No history available yet.