CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-27135: RAGFlow SQL Injection vulnerability

8.9 CVSS

Description

RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. Versions 0.15.1 and prior are vulnerable to SQL injection. The ExeSQL component extracts the SQL statement from the input and sends it directly to the database query. As of time of publication, no patched version is available.

Classification

CVE ID: CVE-2025-27135

CVSS Base Severity: HIGH

CVSS Base Score: 8.9

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

Problem Types

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Affected Products

Vendor: infiniflow

Product: ragflow

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 10.52% (scored less or equal to compared to others)

EPSS Date: 2025-03-26 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: poc

SSVC Technical Impact: total

SSVC Automatable: true

References

https://nvd.nist.gov/vuln/detail/CVE-2025-27135
https://github.com/infiniflow/ragflow/security/advisories/GHSA-3gqj-66qm-25jq
https://github.com/infiniflow/ragflow/blob/v0.15.1/agent/component/exesql.py
https://swizzky.notion.site/ragflow-exesql-150ca6df7c03806989cefde915cf8e42?pvs=4

Timeline