CVE-2024-12433 Overview
A critical remote code execution vulnerability exists in infiniflow/ragflow versions prior to v0.14.0 due to insecure deserialization combined with hard-coded authentication credentials. The RPC server in RAGFlow uses a hard-coded AuthKey (authkey=b'infiniflow-token4kevinhu') which can be easily discovered by attackers to join the group communication without restrictions. Additionally, the server processes incoming data using Python's pickle.loads() function on connection.recv(), making it vulnerable to arbitrary code execution when an attacker sends malicious serialized objects.
Critical Impact
Attackers can achieve unauthenticated remote code execution by exploiting the hard-coded authentication token and sending malicious pickle payloads to the RPC server, potentially leading to complete system compromise.
Affected Products
- Infiniflow RAGFlow versions prior to 0.14.0
- Infiniflow RAGFlow v0.12.0 (confirmed affected)
- Infiniflow RAGFlow v0.13.0
Discovery Timeline
- 2025-03-20 - CVE-2024-12433 published to NVD
- 2025-07-14 - Last updated in NVD database
Technical Details for CVE-2024-12433
Vulnerability Analysis
This vulnerability (CWE-502: Deserialization of Untrusted Data) stems from two fundamental security flaws that chain together to enable remote code execution. The RAGFlow RPC server implements interprocess communication using Python's multiprocessing module, which relies on pickle serialization for data transfer between processes. Pickle is inherently unsafe when processing untrusted data because it can execute arbitrary Python code during deserialization.
The first flaw involves a hard-coded authentication key embedded directly in the source code. This static credential (infiniflow-token4kevinhu) allows any attacker who discovers it to authenticate to the RPC server and join group communications. The second flaw occurs when the server deserializes incoming messages using pickle.loads() without any validation or sanitization, enabling arbitrary code execution when malicious pickle payloads are received.
Root Cause
The root cause is twofold: (1) the use of hard-coded credentials for RPC authentication, violating secure credential management practices, and (2) the direct use of Python's pickle.loads() function to deserialize untrusted network input. Pickle deserialization in Python can instantiate arbitrary objects and execute code through the __reduce__ magic method, making it fundamentally unsafe for processing untrusted data. The combination of these flaws lowers the attack barrier significantly, as attackers only need to discover the static token to gain authenticated access to the vulnerable deserialization endpoint.
Attack Vector
The attack is network-based and requires no user interaction or prior privileges. An attacker can remotely connect to the RAGFlow RPC server using the hard-coded authentication key. Once authenticated, the attacker crafts a malicious pickle payload containing arbitrary Python code (typically using the __reduce__ method to execute system commands). When the server receives and deserializes this payload using pickle.loads(), the embedded code executes with the privileges of the RAGFlow process, potentially allowing full system compromise, data exfiltration, or lateral movement within the network.
The vulnerability was reported through the Huntr Bug Bounty Program.
Detection Methods for CVE-2024-12433
Indicators of Compromise
- Unusual network connections to RAGFlow RPC server ports from external or unexpected IP addresses
- Presence of the hard-coded authentication string infiniflow-token4kevinhu in network traffic
- Unexpected child processes spawned by the RAGFlow application
- Anomalous system commands executed by the RAGFlow process user account
Detection Strategies
- Monitor network traffic for connections to RAGFlow RPC endpoints containing known hard-coded credentials
- Deploy application-level logging to detect authentication attempts using the compromised static token
- Implement endpoint detection rules to identify pickle deserialization attacks and suspicious process creation chains
- Review RAGFlow server logs for authentication events from untrusted sources
Monitoring Recommendations
- Enable verbose logging on RAGFlow deployments to capture RPC authentication events and deserialization operations
- Configure network monitoring to alert on unexpected connections to RAGFlow service ports
- Implement file integrity monitoring on RAGFlow installation directories to detect unauthorized modifications
- Deploy SentinelOne Singularity to monitor for behavioral indicators of post-exploitation activity
How to Mitigate CVE-2024-12433
Immediate Actions Required
- Upgrade infiniflow/ragflow to version 0.14.0 or later immediately
- Restrict network access to RAGFlow RPC server ports using firewall rules
- Audit systems for signs of compromise if running vulnerable versions
- Rotate any credentials or secrets that may have been exposed on compromised systems
Patch Information
The vulnerability has been addressed in RAGFlow version 0.14.0. The fix is available via the official GitHub commit. Organizations should upgrade immediately by pulling the latest version from the official repository.
[tool.poetry]
name = "ragflow"
-version = "0.13.0"
+version = "0.14.0"
description = "[RAGFlow](https://ragflow.io/) is an open-source RAG (Retrieval-Augmented Generation) engine based on deep document understanding. It offers a streamlined RAG workflow for businesses of any scale, combining LLM (Large Language Models) to provide truthful question-answering capabilities, backed by well-founded citations from various complex formatted data."
authors = ["Your Name <you@example.com>"]
license = "https://github.com/infiniflow/ragflow/blob/main/LICENSE"
Source: GitHub Commit
Workarounds
- If immediate patching is not possible, isolate RAGFlow instances behind a firewall allowing only trusted IP addresses
- Implement network segmentation to prevent external access to RPC server ports
- Deploy a reverse proxy with additional authentication requirements in front of RAGFlow services
- Monitor all RPC traffic for suspicious pickle payloads as a temporary detection measure
# Example firewall configuration to restrict RPC access
# Allow only trusted internal IPs to access RAGFlow RPC ports
iptables -A INPUT -p tcp --dport <ragflow_rpc_port> -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport <ragflow_rpc_port> -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
