CVE-2025-25282
CVE-2025-25282 is a high-severity vulnerability in Infiniflow Ragflow with a CVSS 3.x base score of 8.1. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-639.
Key facts
- Severity: High (CVSS 3.x base score 8.1)
- EPSS exploit prediction: 0% (36th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2025-5080
- Weakness: CWE-639
- Affected product: Infiniflow Ragflow
- Published:
- Last modified:
Description
RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine based on deep document understanding. An authenticated user can exploit the Insecure Direct Object Reference (IDOR) vulnerability that may lead to unauthorized cross-tenant access (list tenant user accounts, add user account into other tenant). Unauthorized cross-tenant access: list user from other tenant (e.g., via GET /<tenant_id>/user/list), add user account to other tenant (POST /<tenant_id>/user). This issue has not yet been patched. Users are advised to reach out to the project maintainers to coordinate a fix.
Frequently asked questions
- What is CVE-2025-25282?
- RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine based on deep document understanding. An authenticated user can exploit the Insecure Direct Object Reference (IDOR) vulnerability that may lead to unauthorized cross-tenant access (list tenant user accounts, add user account into other tenant). Unauthorized cross-tenant access: list user from other tenant (e.g., via GET /<tenant_id>/user/list), add user account to other tenant (POST /<tenant_id>/user). This issue has not yet been patched. Users are advised to reach out to the project maintainers to coordinate a fix.
- How severe is CVE-2025-25282?
- CVE-2025-25282 has a CVSS 3.x base score of 8.1, rated high severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability none.
- Is CVE-2025-25282 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (36th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2025-25282?
- CVE-2025-25282 affects Infiniflow Ragflow. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2025-25282?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2025-25282 have an EU (EUVD) identifier?
- Yes. CVE-2025-25282 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-5080.
- When was CVE-2025-25282 published?
- CVE-2025-25282 was published on 2025-02-21 and last updated on 2026-06-17.
References
Affected products (1)
- cpe:2.3:a:infiniflow:ragflow:*:*:*:*:*:*:*:*
More vulnerabilities in Infiniflow Ragflow
- CVE-2026-24770 — Critical (CVSS 9.8): RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In version 0.23.1 and possibly earlier versions,…
- CVE-2025-69286 — Critical (CVSS 9.8): RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions prior to 0.22.0, the use of an…
- CVE-2024-12450 — Critical (CVSS 9.8): In infiniflow/ragflow versions 0.12.0, the `web_crawl` function in `document_app.py` contains multiple vulnerabilities.…
- CVE-2024-12433 — Critical (CVSS 9.8): A vulnerability in infiniflow/ragflow versions v0.12.0 allows for remote code execution. The RPC server in RagFlow uses…
- CVE-2025-27135 — Critical (CVSS 9.8): RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. Versions 0.15.1 and prior are vulnerable to SQL…
- CVE-2025-48187 — Critical (CVSS 9.1): RAGFlow through 0.18.1 allows account takeover because it is possible to conduct successful brute-force attacks against…
All CVEs affecting Infiniflow Ragflow →
Other CWE-639 (Authorization Bypass Through User-Controlled Key (IDOR)) vulnerabilities
- CVE-2025-40805 — Critical (CVSS 10.0): Affected devices do not properly enforce user authentication on specific API endpoints. This could facilitate an…
- CVE-2024-45032 — Critical (CVSS 10.0): A vulnerability has been identified in Industrial Edge Management Pro (All versions < V1.9.5), Industrial Edge…
- CVE-2026-34037 — Critical (CVSS 9.9): Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to…
- CVE-2026-52782 — Critical (CVSS 9.9): OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, there is an IDOR through…
- CVE-2026-45552 — Critical (CVSS 9.9): Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior,…
- CVE-2026-29200 — Critical (CVSS 9.9): A critical IDOR vulnerability has been discovered in Comet Backup affecting all versions from 20.11.0 to 26.1.1 and…
Browse all CWE-639 (Authorization Bypass Through User-Controlled Key (IDOR)) vulnerabilities →