CVE-2025-48187 CRITICAL

CVE-2025-48187

Vendor Infiniflow
Product RAGFlow
Weakness CWE-307 · Brute force
Published May 17, 2025
Last update May 19, 2025

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

RAGFlow through 0.18.1 allows account takeover because it is possible to conduct successful brute-force attacks against email verification codes to perform arbitrary account registration, login, and password reset. Codes are six digits and there is no rate limiting.

Key dates

02Disclosure timeline

May 17, 2025 CVE published
May 19, 2025 Record updated