CVE-2024-12433

Name of the Vulnerable Software and Affected Versions infiniflow/ragflow versions v0.12.0

Description A vulnerability allows for remote code execution. The RPC server in RagFlow uses a hard-coded AuthKey, which can be easily fetched by attackers to join the group communication without restrictions. The server processes incoming data using pickle deserialization via pickle.loads() on connection.recv(), making it vulnerable to remote code execution.

Recommendations For infiniflow/ragflow version v0.12.0, update to version 0.14.0 to resolve the issue. As a temporary workaround, consider restricting access to the RPC server to minimize the risk of exploitation. Avoid using the pickle.loads() function on untrusted input until the issue is resolved.