CVE-2024-12450
Published: 20 March 2025
Description
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
Security Summary
CVE-2024-12450 affects infiniflow/ragflow version 0.12.0, specifically the `web_crawl` function in `document_app.py`. This function fails to filter URL parameters, enabling Full Read Server-Side Request Forgery (SSRF) that allows access to internal network addresses, with their content viewable through generated PDF files. It also lacks restrictions on the file protocol, permitting Arbitrary File Read to access server files. Additionally, the use of an outdated Chromium headless browser in --no-sandbox mode exposes the application to Remote Code Execution (RCE) via known Chromium V8 vulnerabilities. The vulnerability is rated critical with a CVSS score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-918 (SSRF).
Remote, unauthenticated attackers can exploit this vulnerability with low complexity and no user interaction required. By supplying malicious URLs to the `web_crawl` function, they can trigger SSRF to probe and read internal network resources, read arbitrary files on the server, or achieve RCE by leveraging Chromium V8 flaws in the sandboxless environment.
The issues are resolved in ragflow version 0.14.0, as detailed in the project's GitHub commit (3faae0b2c2f8a26233ee1442ba04874b3406f6e9). Additional details are available via the Huntr advisory (da06360c-87c3-4ba9-be67-29f6eff9d44a), which reported the vulnerabilities.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Vulnerability in public-facing web_crawl function enables remote unauthenticated exploitation (T1190), arbitrary local file read via file:// protocol (T1005), and internal network service discovery via SSRF (T1046); RCE via vulnerable Chromium is an impact of the initial exploitation vector.