Home > Vulnerability Database > CVE-2024-12779

Mend.io Vulnerability Database

CVE-2024-12779

Date: March 20, 2025

A Server-Side Request Forgery (SSRF) vulnerability exists in infiniflow/ragflow version 0.12.0. The vulnerability is present in the "POST /v1/llm/add_llm" and "POST /v1/conversation/tts" endpoints. Attackers can specify an arbitrary URL as the "api_base" when adding an "OPENAITTS" model, and subsequently access the "tts" REST API endpoint to read contents from the specified URL. This can lead to unauthorized access to internal web resources.

Severity Score

7.5

Related Resources (3)

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-12779

Url: https://huntr.com/bounties/3cc748ba-2afb-4bfe-8553-10eb6d6dd4f0

Url: https://www.mend.io/vulnerability-database/CVE-2024-12779

Severity Score

7.5

Weakness Type (CWE)

Server-Side Request Forgery (SSRF)

CWE-918

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-12779

Date: March 20, 2025

Severity Score

Related Resources (3)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?