Vulnerability Details CVE-2025-48187
RAGFlow through 0.18.1 allows account takeover because it is possible to conduct successful brute-force attacks against email verification codes to perform arbitrary account registration, login, and password reset. Codes are six digits and there is no rate limiting.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 10.7%
CVSS Severity
CVSS v3 Score 9.1
References
Products affected by CVE-2025-48187
-
cpe:2.3:a:infiniflow:ragflow:0.1.0
-
cpe:2.3:a:infiniflow:ragflow:0.10.0
-
cpe:2.3:a:infiniflow:ragflow:0.11.0
-
cpe:2.3:a:infiniflow:ragflow:0.12.0
-
cpe:2.3:a:infiniflow:ragflow:0.13.0
-
cpe:2.3:a:infiniflow:ragflow:0.14.0
-
cpe:2.3:a:infiniflow:ragflow:0.14.1
-
cpe:2.3:a:infiniflow:ragflow:0.15.0
-
cpe:2.3:a:infiniflow:ragflow:0.15.1
-
cpe:2.3:a:infiniflow:ragflow:0.16.0
-
cpe:2.3:a:infiniflow:ragflow:0.17.0
-
cpe:2.3:a:infiniflow:ragflow:0.17.1
-
cpe:2.3:a:infiniflow:ragflow:0.17.2
-
cpe:2.3:a:infiniflow:ragflow:0.2.0
-
cpe:2.3:a:infiniflow:ragflow:0.3.0
-
cpe:2.3:a:infiniflow:ragflow:0.3.1
-
cpe:2.3:a:infiniflow:ragflow:0.3.2
-
cpe:2.3:a:infiniflow:ragflow:0.4.0
-
cpe:2.3:a:infiniflow:ragflow:0.5.0
-
cpe:2.3:a:infiniflow:ragflow:0.6.0
-
cpe:2.3:a:infiniflow:ragflow:0.7.0
-
cpe:2.3:a:infiniflow:ragflow:0.8.0
-
cpe:2.3:a:infiniflow:ragflow:0.9.0