CVE-2025-25282 HIGH

CVE-2025-25282: Potential Insecure Direct Object Reference (IDOR) vulnerability in ragflow

Vendor Infiniflow
Product ragflow
Weakness CWE-639 · IDOR
Published February 21, 2025
Last update February 24, 2025

CVSS base score

8.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine based on deep document understanding. An authenticated user can exploit the Insecure Direct Object Reference (IDOR) vulnerability that may lead to unauthorized cross-tenant access (list tenant user accounts, add user account into other tenant). Unauthorized cross-tenant access: list user from other tenant (e.g., via GET /<tenant_id>/user/list), add user account to other tenant (POST /<tenant_id>/user). This issue has not yet been patched. Users are advised to reach out to the project maintainers to coordinate a fix.

Key dates

02Disclosure timeline

February 21, 2025 CVE published
February 24, 2025 Record updated