CVE-2024-12871 – This Cross-Site Scripting (XSS) vulnerability i... (How to Fix)

Q: What is the severity of CVE-2024-12871?

CVE-2024-12871 has a CVSS score of 5.4 (MEDIUM). This Cross-Site Scripting (XSS) vulnerability in infiniflow/ragflow version 0.12.0 allows attackers to upload malicious PDF files that execute JavaScript when viewed. This affects all users of vulnerable Ragflow instances, potentially compromising their sessions and sensitive data.

📋 TL;DR

This Cross-Site Scripting (XSS) vulnerability in infiniflow/ragflow version 0.12.0 allows attackers to upload malicious PDF files that execute JavaScript when viewed. This affects all users of vulnerable Ragflow instances, potentially compromising their sessions and sensitive data.

💻 Affected Systems

Products:

infiniflow/ragflow

Versions: 0.12.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects instances with PDF upload functionality enabled and accessible to users.

📦 What is this software?

Ragflow by Infiniflow

View all CVEs affecting Ragflow →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover, data exfiltration of all knowledge base content, and lateral movement within the application infrastructure.

🟠

Likely Case

Session hijacking leading to unauthorized access to the victim's knowledge base and potential data theft.

🟢

If Mitigated

Limited impact with proper input validation and output encoding, potentially only affecting the viewing user's session.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction (viewing the malicious PDF) and upload access to the knowledge base.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.12.1 or later

Vendor Advisory: https://huntr.com/bounties/7903945c-2839-4dd5-9d40-9ef47fe53118

Restart Required: Yes

Instructions:

1. Update Ragflow to version 0.12.1 or later. 2. Restart the Ragflow service. 3. Verify the update was successful.

🔧 Temporary Workarounds

Disable PDF uploads

all

Temporarily disable PDF file upload functionality in Ragflow configuration

Modify Ragflow configuration to restrict file uploads to non-PDF formats

Implement WAF rules

all

Add web application firewall rules to block malicious PDF uploads

Configure WAF to inspect PDF uploads for XSS payloads

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to prevent script execution
Enable file upload scanning and validation for all user-uploaded content

🔍 How to Verify

Check if Vulnerable:

Check if running Ragflow version 0.12.0 and test PDF upload functionality for XSS payload execution

Check Version:

Check Ragflow version in application interface or configuration files

Verify Fix Applied:

Verify version is 0.12.1 or later and test that malicious PDF uploads no longer execute JavaScript

📡 Detection & Monitoring

Log Indicators:

Unusual PDF upload patterns
Large PDF file uploads
Multiple failed upload attempts

Network Indicators:

PDF uploads containing JavaScript patterns
Suspicious file uploads to knowledge base endpoints

SIEM Query:

source="ragflow" AND (event="file_upload" AND file_type="pdf") AND size>100KB

📊 Metadata

CVE ID: CVE-2024-12871

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.07% exploit probability (20.3th percentile)

Published: March 20, 2025

Last Updated: April 1, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-12871, you might also want to check these: