CVE-2025-45691: RAGAS has an Arbitrary File Read vulnerability
(updated )
An Arbitrary File Read vulnerability exists in the ImageTextPromptValue class in Exploding Gradients RAGAS v0.2.3 to v0.2.14. The vulnerability stems from improper validation and sanitization of URLs supplied in the retrieved_contexts parameter when handling multimodal inputs.
References
- adithyanak.com/ragas-v0214-arbitrary-file-read-vulnerability
- github.com/advisories/GHSA-v2xr-wvrv-p969
- github.com/explodinggradients/ragas/blob/e97886ac976465efb60e5949c5d69baf30cc811d/src/ragas/prompt/multi_modal_prompt.py
- github.com/explodinggradients/ragas/pull/1559
- github.com/vibrantlabsai/ragas
- github.com/vibrantlabsai/ragas/commit/b28433709cbedbb531db79dadcfbdbd3aa6adcb0
- github.com/vibrantlabsai/ragas/pull/1991
- nvd.nist.gov/vuln/detail/CVE-2025-45691
Code Behaviors & Features
Detect and mitigate CVE-2025-45691 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →