CVE-2025-25282

Name of the Vulnerable Software and Affected Versions RAGFlow versions <= 0.13.0

Description RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine based on deep document understanding. An authenticated user can exploit the Insecure Direct Object Reference (IDOR) vulnerability, which may lead to unauthorized cross-tenant access. This can result in listing tenant user accounts and adding user accounts into other tenants. The issue can be exploited via API endpoints such as "GET //user/list" and "POST //user".

Recommendations For RAGFlow versions <= 0.13.0, users are advised to reach out to the project maintainers to coordinate a fix, as this issue has not yet been patched. As a temporary workaround, consider restricting access to the vulnerable API endpoints, such as "GET //user/list" and "POST //user", to minimize the risk of exploitation.