CVE-2025-48187

Name of the Vulnerable Software and Affected Versions: RAGFlow versions 0.18.1 and earlier

Description: The issue allows account takeover due to the possibility of conducting successful brute-force attacks against email verification codes. This enables arbitrary account registration, login, and password reset. The codes are six digits and there is no rate limiting, making it easier for attackers to guess the codes.

Recommendations: For RAGFlow versions 0.18.1 and earlier, consider implementing rate limiting on email verification codes to prevent brute-force attacks until a patch is available. As a temporary workaround, restrict access to the email verification code feature to minimize the risk of exploitation.