CNNVD-202512-5500 Information

CNNVD ID

CNNVD-202512-5500

Related CVE

CVE-2025-68700

• CNNVD Published: 2025-12-31

Description (Chinese)

RAGFlow是InfiniFlow开源的一个基于深度文档理解的开源 RAG 引擎。 RAGFlow 0.23.0之前版本存在安全漏洞，该漏洞源于前端Canvas CodeExec组件使用eval解析不受信任的数据且无过滤或沙箱隔离，可能导致任意系统命令执行。

Description (English)

RAGFlow is an open source RAG engine based on the understanding of an in-depth document. Prior to RAGFlow 0.23.0, there was a security loophole that originated from the front end of the Canvas CodeExec component using eval to interpret untrustworthy data without filtering or sandboxing, which could lead to arbitrary system orders.

Hazard Level

High

Vulnerability Type

其他

Affected Vendor

InfiniFlow

Published

2025-12-31

Last Modified

2026-02-24

References

https://github.com/infiniflow/ragflow/commit/7a344a32f9f83529e12ca12f40f2657eb79fe811 https://github.com/infiniflow/ragflow/security/advisories/GHSA-8xw3-v6c2-j84j

Patch

https://github.com/infiniflow/ragflow/releases