{"id":"CVE-2025-45691","details":"An Arbitrary File Read vulnerability exists in the ImageTextPromptValue class in Exploding Gradients RAGAS v0.2.3 to v0.2.14. The vulnerability stems from improper validation and sanitization of URLs supplied in the retrieved_contexts parameter when handling multimodal inputs.","aliases":["GHSA-v2xr-wvrv-p969"],"modified":"2026-03-15T22:51:10.853139Z","published":"2026-03-05T19:16:00.027Z","references":[{"type":"WEB","url":"https://github.com/explodinggradients/ragas/blob/e97886ac976465efb60e5949c5d69baf30cc811d/src/ragas/prompt/multi_modal_prompt.py#L202"},{"type":"FIX","url":"https://github.com/explodinggradients/ragas/pull/1559"},{"type":"FIX","url":"https://github.com/vibrantlabsai/ragas/pull/1991"},{"type":"EVIDENCE","url":"https://adithyanak.com/ragas-v0214-arbitrary-file-read-vulnerability"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/vibrantlabsai/ragas","events":[{"introduced":"e7987e5634896e62453bab0bf043b270b3faf15e"},{"last_affected":"414a518613d15341bbafaf2b8d630ce59db6af97"}],"database_specific":{"versions":[{"introduced":"0.2.3"},{"last_affected":"0.2.14"}]}}],"versions":["v0.2.10","v0.2.11","v0.2.12","v0.2.13","v0.2.14","v0.2.3","v0.2.4","v0.2.5","v0.2.6","v0.2.7","v0.2.8","v0.2.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-45691.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}