{"id":"CVE-2024-12433","details":"A vulnerability in infiniflow/ragflow versions v0.12.0 allows for remote code execution. The RPC server in RagFlow uses a hard-coded AuthKey 'authkey=b'infiniflow-token4kevinhu'' which can be easily fetched by attackers to join the group communication without restrictions. Additionally, the server processes incoming data using pickle deserialization via `pickle.loads()` on `connection.recv()`, making it vulnerable to remote code execution. This issue is fixed in version 0.14.0.","modified":"2026-04-10T05:08:52.725715Z","published":"2025-03-20T10:15:28.760Z","references":[{"type":"FIX","url":"https://github.com/infiniflow/ragflow/commit/49494d4e3c8f06a5e52cf1f7cce9fa03cadcfbf6"},{"type":"EVIDENCE","url":"https://huntr.com/bounties/8a1465af-09e4-42af-9e54-0b70e7c87499"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/infiniflow/ragflow","events":[{"introduced":"92a4a095c922690b31e9ef557b708d3920d092a9"},{"fixed":"49494d4e3c8f06a5e52cf1f7cce9fa03cadcfbf6"}],"database_specific":{"versions":[{"introduced":"0.12.0"},{"fixed":"0.14.0"}]}}],"versions":["v0.12.0","v0.13.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-12433.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}