CVE-2025-69286

CVE-2025-69286 affects RAGFlow, an open-source Retrieval-Augmented Generation (RAG) engine, in versions prior to 0.22.0. The vulnerability stems from an insecure key generation algorithm used in the API key and beta (assistant/agent share authentication) token generation process. Both tokens are generated with the same URLSafeTimedSerializer and predictable inputs, making them mutually derivable and linked to CWE-340 (Generation of Predictable Numbers or Identifiers). The issue has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with high confidentiality, integrity, and availability impacts.

An attacker with access to a shared assistant or agent URL can exploit this vulnerability without authentication or privileges. By analyzing the beta token embedded in the URL, they can derive the victim's personal API key due to the predictable inputs and shared serializer. This grants full control over the assistant/agent owner's account, potentially allowing unauthorized data access, modification, or deletion within the RAGFlow instance.

The GitHub security advisory (GHSA-9j5g-g4xm-57w7) and associated commit (a3bb4aadcc3494fb27f2a9933b4c46df8eb532e6) confirm that upgrading to version 0.22.0 resolves the issue by addressing the token generation flaws, as detailed in the affected code paths in system_app.py, utils/__init__.py, and api_utils.py.

RAGFlow's role as a RAG engine highlights relevance to AI/ML deployments, where shared assistants or agents may expose sensitive LLM workflows to token derivation risks. No public evidence of real-world exploitation is available as of the CVE publication on 2025-12-31.