CVE-2025-48187
9.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Summary
RAGFlow through 0.18.1 allows account takeover because it is possible to conduct successful brute-force attacks against email verification codes to perform arbitrary account registration, login, and password reset. Codes are six digits and there is no rate limiting.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| infiniflow | RAGFlow | 0 <= 0.18.1 | affected |
Weaknesses
- CWE-307: CWE-307 Improper Restriction of Excessive Authentication Attempts
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: total
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.