CVE-2025-69286

CriticalPublic PoC

Published: 31 December 2025

Published

31 December 2025

Modified

06 January 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0013 31.1th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-69286 is a critical-severity Generation of Predictable Numbers or Identifiers (CWE-340) vulnerability in Infiniflow Ragflow. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Other Platforms.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-12 (Cryptographic Key Establishment and Management).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match

prevent

Mandates sufficiently strong mechanisms for generating and managing authenticators like API keys and tokens, directly preventing predictable generation that enables derivation from shared beta tokens.

SC-12 Cryptographic Key Establishment and Management good match

prevent

Requires secure cryptographic key establishment and management for token serialization processes, countering insecure algorithms with predictable inputs used in URLSafeTimedSerializer.

SI-2 Flaw Remediation good match

prevent

Ensures timely flaw remediation through identification, reporting, and patching of vulnerabilities like the insecure token generation in RAGFlow versions prior to 0.22.0.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1078 Valid Accounts Stealth

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

Why these techniques?

Vulnerability in public RAGFlow web app enables unauthenticated derivation of valid API keys/tokens from shared URLs, directly facilitating exploitation of public-facing applications and subsequent use of compromised valid accounts.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions prior to 0.22.0, the use of an insecure key generation algorithm in the API key and beta (assistant/agent share auth) token generation process allows these tokens to be mutually derivable.…

Specifically, both tokens are generated using the same `URLSafeTimedSerializer` with predictable inputs, enabling an unauthorized user who obtains the shared assistant/agent URL to derive the personal API key. This grants them full control over the assistant/agent owner's account. Version 0.22.0 fixes the issue.

Deeper analysisAI

CVE-2025-69286 affects RAGFlow, an open-source Retrieval-Augmented Generation (RAG) engine, in versions prior to 0.22.0. The vulnerability stems from an insecure key generation algorithm used in the API key and beta (assistant/agent share authentication) token generation process. Both tokens are generated with the same URLSafeTimedSerializer and predictable inputs, making them mutually derivable and linked to CWE-340 (Generation of Predictable Numbers or Identifiers). The issue has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with high confidentiality, integrity, and availability impacts.

An attacker with access to a shared assistant or agent URL can exploit this vulnerability without authentication or privileges. By analyzing the beta token embedded in the URL, they can derive the victim's personal API key due to the predictable inputs and shared serializer. This grants full control over the assistant/agent owner's account, potentially allowing unauthorized data access, modification, or deletion within the RAGFlow instance.

The GitHub security advisory (GHSA-9j5g-g4xm-57w7) and associated commit (a3bb4aadcc3494fb27f2a9933b4c46df8eb532e6) confirm that upgrading to version 0.22.0 resolves the issue by addressing the token generation flaws, as detailed in the affected code paths in system_app.py, utils/__init__.py, and api_utils.py.

RAGFlow's role as a RAG engine highlights relevance to AI/ML deployments, where shared assistants or agents may expose sensitive LLM workflows to token derivation risks. No public evidence of real-world exploitation is available as of the CVE publication on 2025-12-31.