CVE-2025-48187

CVSS 9.1 CRITICALEPSS 0.5%CWE-307

RAGFlow through 0.18.1 allows account takeover because it is possible to conduct successful brute-force attacks against email verification codes to perform arbitrary account registration, login, and password reset. Codes are six digits and there is no rate limiting.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Produtos afetados

infiniflow · RAGFlow

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://github.com/infiniflow/ragflow/commits/main/https://www.cnblogs.com/qiushuo/p/18881084