icon

We found results for “

CVE-2024-12779

Date: March 20, 2025

A Server-Side Request Forgery (SSRF) vulnerability exists in infiniflow/ragflow version 0.12.0. The vulnerability is present in the "POST /v1/llm/add_llm" and "POST /v1/conversation/tts" endpoints. Attackers can specify an arbitrary URL as the "api_base" when adding an "OPENAITTS" model, and subsequently access the "tts" REST API endpoint to read contents from the specified URL. This can lead to unauthorized access to internal web resources.

Severity Score

Severity Score

Weakness Type (CWE)

Server-Side Request Forgery (SSRF)

CWE-918

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): NONE
Availability (A): NONE

Do you need more information?

Contact Us