CVE-2025-48187

Published: May 17, 2025Modified: Jun 12, 2025

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

RAGFlow through 0.18.1 allows account takeover because it is possible to conduct successful brute-force attacks against email verification codes to perform arbitrary account registration, login, and password reset. Codes are six digits and there is no rate limiting.

Affected (1)

Products: Infiniflow: Ragflow

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Infiniflow Ragflow	Up to 0.18.1

Related CWEs

Improper Restriction of Excessive Authentication Attempts

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks.

References (3)

https://github.com/infiniflow/ragflow/commits/main/

Source: cve@mitre.org

Patch

https://www.cnblogs.com/qiushuo/p/18881084

Source: cve@mitre.org

Exploit

https://www.cnblogs.com/qiushuo/p/18881084

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Exploit

Timeline

No history available yet.