RCE in Infiniflow Ragflow

CVE-2025-68700

RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions prior to 0.23.0, a low-privileged authenticated user (normal login account) can execute arbitrary system commands on the server host process via the fronten…

Vulnerability class: Command Injection (OS Command Injection)

EPSS: 0.001 (27.8th percentile) — read the EPSS interpretation.

Affected products

Infiniflow Ragflow — versions < 0.23.0

Weakness classification (CWE)

CWE-78 — OS Command Injection

References

https://github.com/infiniflow/ragflow/security/advisories/GHSA-8xw3-v6c2-j84j (x_refsource_CONFIRM)
https://github.com/infiniflow/ragflow/commit/7a344a32f9f83529e12ca12f40f2657eb79fe811 (x_refsource_MISC)