CVE-2024-12450
Published: 20 March 2025
Summary
CVE-2024-12450 is a critical-severity SSRF (CWE-918) vulnerability in Infiniflow Ragflow. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates and sanitizes URL inputs to the web_crawl function to block SSRF attacks on internal networks and arbitrary file reads via unrestricted protocols.
Ensures timely remediation of flaws in outdated Chromium, preventing RCE exploitation through known V8 vulnerabilities.
Enforces secure configuration settings for the headless Chromium browser, such as disabling --no-sandbox mode to mitigate sandbox escape leading to RCE.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing web_crawl function enables remote unauthenticated exploitation (T1190), arbitrary local file read via file:// protocol (T1005), and internal network service discovery via SSRF (T1046); RCE via vulnerable Chromium is an impact of the initial exploitation vector.
NVD Description
In infiniflow/ragflow versions 0.12.0, the `web_crawl` function in `document_app.py` contains multiple vulnerabilities. The function does not filter URL parameters, allowing attackers to exploit Full Read SSRF by accessing internal network addresses and viewing their content through the generated PDF files.…
more
Additionally, the lack of restrictions on the file protocol enables Arbitrary File Read, allowing attackers to read server files. Furthermore, the use of an outdated Chromium headless version with --no-sandbox mode enabled makes the application susceptible to Remote Code Execution (RCE) via known Chromium v8 vulnerabilities. These issues are resolved in version 0.14.0.
Deeper analysisAI
CVE-2024-12450 affects infiniflow/ragflow version 0.12.0, specifically the `web_crawl` function in `document_app.py`. This function fails to filter URL parameters, enabling Full Read Server-Side Request Forgery (SSRF) that allows access to internal network addresses, with their content viewable through generated PDF files. It also lacks restrictions on the file protocol, permitting Arbitrary File Read to access server files. Additionally, the use of an outdated Chromium headless browser in --no-sandbox mode exposes the application to Remote Code Execution (RCE) via known Chromium V8 vulnerabilities. The vulnerability is rated critical with a CVSS score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-918 (SSRF).
Remote, unauthenticated attackers can exploit this vulnerability with low complexity and no user interaction required. By supplying malicious URLs to the `web_crawl` function, they can trigger SSRF to probe and read internal network resources, read arbitrary files on the server, or achieve RCE by leveraging Chromium V8 flaws in the sandboxless environment.
The issues are resolved in ragflow version 0.14.0, as detailed in the project's GitHub commit (3faae0b2c2f8a26233ee1442ba04874b3406f6e9). Additional details are available via the Huntr advisory (da06360c-87c3-4ba9-be67-29f6eff9d44a), which reported the vulnerabilities.
Details
- CWE(s)