CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-25282: Potential Insecure Direct Object Reference (IDOR) vulnerability in ragflow

8.1 CVSS

Description

RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine based on deep document understanding. An authenticated user can exploit the Insecure Direct Object Reference (IDOR) vulnerability that may lead to unauthorized cross-tenant access (list tenant user accounts, add user account into other tenant). Unauthorized cross-tenant access: list user from other tenant (e.g., via GET //user/list), add user account to other tenant (POST //user). This issue has not yet been patched. Users are advised to reach out to the project maintainers to coordinate a fix.

Classification

CVE ID: CVE-2025-25282

CVSS Base Severity: HIGH

CVSS Base Score: 8.1

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Problem Types

CWE-639: Authorization Bypass Through User-Controlled Key

Affected Products

Vendor: infiniflow

Product: ragflow

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 5.03% (scored less or equal to compared to others)

EPSS Date: 2025-03-22 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-25282
https://github.com/infiniflow/ragflow/security/advisories/GHSA-wc5v-g79p-7hch

Timeline