Cyber Resilience

CVE-2024-53450

HighPublic PoC

Published: 09 December 2024

Published
09 December 2024
Modified
10 July 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0036 58.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-53450 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Infiniflow Ragflow. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 41.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Privacy and Disclosure risk domain.

EU & UK References

Vulnerability details

RAGFlow 0.13.0 suffers from improper access control in document-hooks.ts, allowing unauthorized access to user documents.

CWE(s)

AI Security AnalysisAI

AI Category
Enterprise AI Assistants
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine that combines LLMs for truthful question-answering with document retrieval, designed for business workflows, aligning with Enterprise AI Assistants.

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213 Data from Information Repositories Collection
Adversaries may leverage information repositories to mine valuable information.
Why these techniques?

Improper access control in RAGFlow's document API (CVE-2024-53450) allows unauthenticated retrieval of any user's documents by ID, enabling initial access via exploitation of a public-facing web application (T1190) and collection of data from a document information repository (T1213).

Affected Assets

infiniflow
ragflow
0.13.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References