CVE-2025-27135

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-27135

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-27135.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-27135

Aliases

GHSA-3gqj-66qm-25jq

Published

2025-02-25T19:15:15Z

Modified

2025-04-23T04:12:12.300526Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. Versions 0.15.1 and prior are vulnerable to SQL injection. The ExeSQL component extracts the SQL statement from the input and sends it directly to the database query. As of time of publication, no patched version is available.

References

Affected packages

Git / github.com/infiniflow/ragflow

Affected ranges

Type: GIT
Repo: https://github.com/infiniflow/ragflow
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

1160b58b6e13cc11422c153f4124d682d87de67b

Affected versions

v0.*

v0.1.0

v0.10.0

v0.11.0

v0.12.0

v0.13.0

v0.14.0

v0.14.1

v0.15.0

v0.15.1

v0.2.0

v0.3.0

v0.3.1

v0.3.2

v0.4.0

v0.5.0

v0.6.0

v0.7.0

v0.8.0

v0.9.0