CVE-2025-48187

Summary

RAGFlow through 0.18.1 allows account takeover because it is possible to conduct successful brute-force attacks against email verification codes to perform arbitrary account registration, login, and password reset. Codes are six digits and there is no rate limiting.

Affected Software

VendorProductVersion RangeStatus
infiniflowRAGFlow0 <= 0.18.1affected

Weaknesses

  • CWE-307: CWE-307 Improper Restriction of Excessive Authentication Attempts

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: total

Additional References

References