CVE-2024-12779
Published: 20 March 2025
Summary
CVE-2024-12779 is a high-severity SSRF (CWE-918) vulnerability in Infiniflow Ragflow. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Other Platforms.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates the arbitrary api_base URL input in the add_llm endpoint to block malicious SSRF requests to internal resources.
Enforces information flow policies to restrict server-side requests from reaching unauthorized internal web resources via the tts endpoint.
Monitors and controls outbound communications at system boundaries to limit or detect SSRF attempts proxying to internal services.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF vulnerability in public-facing web API endpoints (POST /v1/llm/add_llm and POST /v1/conversation/tts) directly enables T1190 by allowing unauthenticated attackers to exploit the application for initial access and to proxy requests to internal/restricted resources.
NVD Description
A Server-Side Request Forgery (SSRF) vulnerability exists in infiniflow/ragflow version 0.12.0. The vulnerability is present in the `POST /v1/llm/add_llm` and `POST /v1/conversation/tts` endpoints. Attackers can specify an arbitrary URL as the `api_base` when adding an `OPENAITTS` model, and subsequently access…
more
the `tts` REST API endpoint to read contents from the specified URL. This can lead to unauthorized access to internal web resources.
Deeper analysisAI
CVE-2024-12779 is a Server-Side Request Forgery (SSRF) vulnerability affecting infiniflow/ragflow version 0.12.0. The issue resides in the POST /v1/llm/add_llm and POST /v1/conversation/tts endpoints, where attackers can specify an arbitrary URL as the api_base parameter when adding an OPENAITTS model. This allows subsequent requests to the tts REST API endpoint to fetch and read contents from the attacker-controlled URL. The vulnerability is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is associated with CWE-918.
Any unauthenticated attacker with network access to the vulnerable RAGFlow instance can exploit this SSRF by first submitting a request to add an LLM model with a malicious api_base URL pointing to internal or restricted resources. They can then trigger the tts endpoint to proxy requests to that URL, enabling them to read sensitive data such as internal web services, metadata endpoints, or other backend resources inaccessible from the internet. This results in high confidentiality impact without requiring privileges, user interaction, or elevated complexity.
Details on the vulnerability, including potential patches or workarounds, are documented in advisories from the Huntr bug bounty program at https://huntr.com/bounties/3cc748ba-2afb-4bfe-8553-10eb6d6dd4f0.
RAGFlow is a framework for retrieval-augmented generation (RAG) workflows involving large language models (LLMs), making this SSRF particularly relevant in AI/ML deployment environments where internal LLM APIs or data stores may be exposed. No public information on real-world exploitation is available as of the CVE publication on 2025-03-20.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Regex match