PatchSiren cyber security CVE debrief
CVE-2025-45691 Vibrantlabsai CVE debrief
CVE-2025-45691 is an Arbitrary File Read vulnerability in the ImageTextPromptValue class of Exploding Gradients RAGAS versions 0.2.3 through 0.2.14. This vulnerability arises from inadequate validation and sanitization of URLs provided in the retrieved_contexts parameter when handling multimodal inputs. The vulnerability has a CVSS score of 7.5 and is classified as HIGH severity. The CVE was published on March 5, 2026, and last modified on June 30, 2026. The vendor, Vibrantlabsai, has addressed this issue in later versions of RAGAS.
- Vendor
- Vibrantlabsai
- Product
- Ragas
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-05
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-03-05
- Advisory updated
- 2026-06-30
Who should care
Security teams and administrators responsible for Exploding Gradients RAGAS installations, particularly those using versions between 0.2.3 and 0.2.14, should be aware of this vulnerability. Given the HIGH severity and ease of exploitation (AV:N/AC:L/PR:N/UI:N), immediate attention is required to mitigate potential risks. Red Hat and other affected users should prioritize patching or applying compensating controls.
Technical summary
The Arbitrary File Read vulnerability in RAGAS is caused by improper handling of multimodal inputs, specifically through the retrieved_contexts parameter. This allows attackers to read arbitrary files by manipulating URLs. The issue is addressed in later versions of RAGAS beyond 0.2.14. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating Network attack vector, Low attack complexity, No privileges required, and High confidentiality impact.
Defensive priority
High priority should be given to patching RAGAS installations to version 0.2.15 or later. In the interim, defenders should monitor for suspicious multimodal input patterns and restrict access to sensitive files.
Recommended defensive actions
- Patch RAGAS installations to version 0.2.15 or later.
- Monitor for suspicious multimodal input patterns.
- Restrict access to sensitive files.
- Review and update input validation and sanitization processes.
- Implement compensating controls for file access monitoring.
Evidence notes
The CVE and NVD provide official details on the vulnerability. Multiple references, including exploit and patch information, are available from various sources like GitHub and Red Hat. However, specific details on exploitation are limited, suggesting a need for cautious verification and monitoring.
Official resources
-
CVE-2025-45691 CVE record
CVE.org
-
CVE-2025-45691 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory
-
Source reference
[email protected] - Product
-
Mitigation or vendor reference
[email protected] - Exploit, Issue Tracking, Patch
-
Mitigation or vendor reference
[email protected] - Exploit, Issue Tracking, Patch, Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.