CVE-2025-45691
Awaiting Analysis Awaiting Analysis - Queue
Arbitrary File Read in Exploding Gradients RAGAS ImageTextPromptValue

Publication date: 2026-03-05

Last updated on: 2026-03-10

Assigner: MITRE

Description
An Arbitrary File Read vulnerability exists in the ImageTextPromptValue class in Exploding Gradients RAGAS v0.2.3 to v0.2.14. The vulnerability stems from improper validation and sanitization of URLs supplied in the retrieved_contexts parameter when handling multimodal inputs.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-03-10
Generated
2026-06-16
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-15
NVD
CVE-2025-45691
EUVD
EUVD-2025-208315
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vibrantlabsai ragas From 0.2.3 (inc) to 0.2.14 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can lead to serious security impacts including:

  • Arbitrary reading of sensitive internal files such as /etc/passwd or environment files containing secrets.
  • Server-Side Request Forgery (SSRF) attacks allowing attackers to access internal network services or cloud metadata endpoints (e.g., AWS EC2 metadata) to steal credentials.
  • Denial of Service (DoS) by exhausting server resources through reading large files or fetching large/slow remote files.
  • Data exfiltration through language model interfaces or side channels, especially in multi-tenant SaaS environments or exposed internal tooling.
  • Internal port scanning and reconnaissance by supplying crafted URLs to probe backend infrastructure.
Executive Summary

CVE-2025-45691 is an Arbitrary File Read vulnerability in the ImageTextPromptValue class of Exploding Gradients RAGAS versions 0.2.3 to 0.2.14. It arises from improper validation and sanitization of URLs supplied in the retrieved_contexts parameter when handling multimodal inputs.

The vulnerability stems from flawed MIME type checking and URL handling, where URLs that appear to be images (e.g., ending with .jpg in URL fragments) are incorrectly accepted. This allows attackers to bypass image validation and use file:// URLs or crafted HTTP URLs to read arbitrary local files or access internal network resources.

Exploitation involves tricking the system into fetching and base64-encoding sensitive files or internal endpoints by abusing the get_image() method, which downloads and encodes images without sufficient security checks.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of CVE-2025-45691 involves monitoring for suspicious URLs or payloads in the retrieved_contexts parameter that exploit improper URL validation, especially those containing file:// schemes or URLs with image-like suffixes in fragments (e.g., file://localhost/etc/passwd#payload.jpg).'}, {'type': 'paragraph', 'content': 'Network or system detection can focus on identifying attempts to access local files or internal metadata endpoints via crafted URLs that appear as images.'}, {'type': 'list_item', 'content': 'Inspect logs or traffic for URLs containing file:// schemes or unusual image-like suffixes in URL fragments.'}, {'type': 'list_item', 'content': 'Use network monitoring tools to detect outbound requests to internal IP ranges or cloud metadata IPs (e.g., 169.254.169.254).'}, {'type': 'list_item', 'content': "Example command to search application logs for suspicious URLs (Linux):\n grep -E 'file://|\\.jpg#|\\.png#' /path/to/ragas/logs/*.log"}, {'type': 'list_item', 'content': 'Example command to monitor network connections to internal IPs:\n sudo tcpdump -i any dst net 169.254.0.0/16 or dst net 127.0.0.0/8 or dst net 10.0.0.0/8'}, {'type': 'list_item', 'content': 'Check for unexpected file read operations or base64-encoded data in application outputs that may indicate exfiltration.'}] [2, 4]

Mitigation Strategies

Immediate mitigation steps include applying the security patches that replace the insecure image handling logic in the ImageTextPromptValue class with a secure processing pipeline.

Key mitigation actions are:

  • Update to a fixed version of RAGAS that implements strict input validation, disallows file:// URLs, and enforces allowed URL schemes (http, https) only.
  • Disable or carefully configure local file access features (ALLOW_LOCAL_FILE_ACCESS set to false) to prevent directory traversal and unauthorized file reads.
  • Use libraries like Pillow to validate that downloaded or local files are genuine images before processing.
  • Implement SSRF protections by blocking requests to internal IP ranges and cloud metadata endpoints.
  • Limit maximum download sizes and enforce timeouts on remote resource fetching to prevent Denial of Service.
  • Review and configure security constants such as ALLOWED_URL_SCHEMES, MAX_DOWNLOAD_SIZE_BYTES, and REQUESTS_TIMEOUT_SECONDS according to your security policy.

If immediate patching is not possible, consider restricting access to the vulnerable service, monitoring for exploitation attempts, and sanitizing inputs to the retrieved_contexts parameter.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-45691. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart