CVE-2024-12433 Overview
CVE-2024-12433 is a remote code execution vulnerability in Infiniflow RagFlow version 0.12.0. The Remote Procedure Call (RPC) server ships with a hard-coded AuthKey value of b'infiniflow-token4kevinhu'. Attackers can recover this key from the public source code and join the group communication channel without further restrictions. The server then deserializes attacker-controlled bytes using pickle.loads() on the result of connection.recv(). This unsafe deserialization path [CWE-502] enables arbitrary code execution on the host. The issue is fixed in RagFlow version 0.14.0.
Critical Impact
Unauthenticated attackers reaching the RagFlow RPC port can execute arbitrary Python code on the server, leading to full compromise of the RAG pipeline and any data it processes.
Affected Products
- Infiniflow RagFlow version 0.12.0
- Infiniflow RagFlow versions prior to 0.14.0
- Infiniflow RagFlow Python SDK versions prior to 0.14.0
Discovery Timeline
- 2025-03-20 - CVE-2024-12433 published to the National Vulnerability Database (NVD)
- 2025-07-14 - Last updated in NVD database
Technical Details for CVE-2024-12433
Vulnerability Analysis
RagFlow is an open-source Retrieval-Augmented Generation (RAG) engine that uses a Python RPC server for inter-process communication between worker components. The RPC server authenticates clients with a shared AuthKey value. In version 0.12.0, this key is hard-coded as b'infiniflow-token4kevinhu' directly in the public repository.
Once a client passes the authentication handshake, the server reads framed bytes from the socket and reconstructs Python objects with pickle.loads(connection.recv()). Python pickle deserialization invokes __reduce__ methods on arbitrary classes during object reconstruction. An attacker can craft a pickle payload whose __reduce__ returns a callable such as os.system with an arbitrary command string. The chain of a public authentication secret combined with unsafe deserialization converts network reachability into reliable code execution.
Root Cause
The root cause is the combination of two flaws. First, the static AuthKey provides no real authentication boundary because the value is committed to source control. Second, the RPC handler uses pickle as the wire format, which is unsafe for any data that crosses a trust boundary. Python documentation explicitly warns that pickle.loads() must never be called on untrusted input.
Attack Vector
The attack vector is network-based and requires no user interaction or prior credentials. An attacker who can reach the RagFlow RPC port supplies the well-known AuthKey, completes the handshake, sends a malicious pickle payload, and triggers command execution as the RagFlow service user. From there the attacker can pivot to model artifacts, vector stores, ingested documents, and any cloud credentials available on the host.
# Patch reference - sdk/python/pyproject.toml
[tool.poetry]
name = "ragflow-sdk"
-version = "0.13.0"
+version = "0.14.0"
Source: GitHub commit 49494d4
Detection Methods for CVE-2024-12433
Indicators of Compromise
- Inbound network connections to RagFlow RPC ports from unexpected sources, especially containing the byte string infiniflow-token4kevinhu.
- Unexpected child processes of the RagFlow Python worker, such as sh, bash, curl, wget, or python with inline -c arguments.
- New outbound connections from the RagFlow host to attacker-controlled IPs immediately after RPC traffic.
- Modifications to RagFlow configuration files, model directories, or scheduled tasks shortly after RPC activity.
Detection Strategies
- Hunt for Python processes invoking pickle.loads on data received from sockets, correlating with subsequent os.system, subprocess.Popen, or eval calls.
- Apply network signatures that match the literal AuthKey token infiniflow-token4kevinhu in TCP payloads.
- Inspect process lineage for the RagFlow service account and alert on shell or interpreter children that are not part of normal RAG workflows.
Monitoring Recommendations
- Forward host process, network, and file telemetry from RagFlow servers to a centralized analytics platform for retrospective hunting.
- Restrict the RagFlow RPC port to localhost or a defined allowlist of worker hosts and alert on any external access attempts.
- Track installed RagFlow versions across the environment and flag any host still running 0.12.x or 0.13.x.
How to Mitigate CVE-2024-12433
Immediate Actions Required
- Upgrade all RagFlow installations to version 0.14.0 or later, including the ragflow-sdk Python package.
- Block external network access to the RagFlow RPC listener at the firewall or security group layer until the upgrade is complete.
- Rotate any secrets, API keys, or model credentials that were accessible from a RagFlow host running 0.12.0.
- Review recent RagFlow logs and host telemetry for signs of pickle-based exploitation and unexpected child processes.
Patch Information
The vendor fix is delivered in RagFlow 0.14.0. The version bump is recorded in pyproject.toml and sdk/python/pyproject.toml as shown in GitHub commit 49494d4. Bounty details and additional context are available in the Huntr bounty report.
Workarounds
- Bind the RagFlow RPC listener to 127.0.0.1 and require all worker traffic to traverse an authenticated tunnel such as mTLS or SSH.
- Place the RagFlow service behind a network policy that only permits traffic from known internal worker IPs.
- Run the RagFlow process as a low-privilege user inside a container with no outbound internet access to limit blast radius if exploited.
# Example iptables rule restricting the RagFlow RPC port to localhost
sudo iptables -A INPUT -p tcp --dport 9380 ! -s 127.0.0.1 -j DROP
# Verify installed RagFlow version
pip show ragflow | grep -i version
pip install --upgrade "ragflow>=0.14.0" "ragflow-sdk>=0.14.0"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
