CVE-2024-12433
📋 TL;DR
This CVE allows remote attackers to execute arbitrary code on systems running vulnerable versions of infiniflow/ragflow. Attackers can bypass authentication using a hard-coded secret key and exploit insecure pickle deserialization to achieve remote code execution. All users running ragflow versions v0.12.0 through v0.13.x are affected.
💻 Affected Systems
- infiniflow/ragflow
📦 What is this software?
Ragflow by Infiniflow
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands, steal data, install malware, or pivot to other systems in the network.
Likely Case
Remote code execution leading to data theft, service disruption, or cryptocurrency mining malware installation.
If Mitigated
Limited impact if network segmentation and strict firewall rules prevent external access to the vulnerable service.
🎯 Exploit Status
Exploitation is straightforward - attackers need only discover the hard-coded auth key and send a malicious pickle payload. Public exploit details are available in the huntr.com bounty report.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v0.14.0
Vendor Advisory: https://github.com/infiniflow/ragflow/commit/49494d4e3c8f06a5e52cf1f7cce9fa03cadcfbf6
Restart Required: Yes
Instructions:
1. Stop all ragflow services. 2. Update to version 0.14.0 or later using 'pip install ragflow==0.14.0' or equivalent. 3. Restart all ragflow services. 4. Verify the fix by checking the version and ensuring the RPC server uses proper authentication.
🔧 Temporary Workarounds
Network Isolation
linuxBlock external access to ragflow RPC server ports using firewall rules
iptables -A INPUT -p tcp --dport [RAGFLOW_PORT] -j DROP
ufw deny [RAGFLOW_PORT]
Disable RPC Server
allDisable the vulnerable RPC server component if not required
Modify ragflow configuration to disable RPC server or run without RPC functionality
🧯 If You Can't Patch
- Implement strict network segmentation to isolate ragflow instances from untrusted networks
- Deploy application-level firewalls or WAFs to inspect and block pickle deserialization attempts
🔍 How to Verify
Check if Vulnerable:
Check if ragflow version is between 0.12.0 and 0.13.x using 'ragflow --version' or examine package metadataCheck Version:
ragflow --version || python -c "import ragflow; print(ragflow.__version__)" || pip show ragflowVerify Fix Applied:
Confirm version is 0.14.0 or later and test that the hard-coded auth key no longer works for RPC authentication📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts with hard-coded key
- Unusual pickle deserialization errors
- Unexpected process spawns from ragflow service
Network Indicators:
- Network traffic to ragflow RPC ports containing pickle serialized data
- Authentication attempts using 'infiniflow-token4kevinhu'
SIEM Query:
source="ragflow" AND ("pickle.loads" OR "infiniflow-token4kevinhu" OR "authkey=b")