CVE-2025-45691 — Path Traversal in Ragas

CWE-22 — Path Traversal CWE-918 — Server-Side Request Forgery CWE-770 — Allocation of Resources Without Limits or Throttling7 documents6 sources

Severity

7.5HIGHNVD

NVD5.3

EPSS

0.1%

top 77.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Vibrantlabsai Ragas

Timeline

PublishedMar 5

Latest updateApr 19

Description

An Arbitrary File Read vulnerability exists in the ImageTextPromptValue class in Exploding Gradients RAGAS v0.2.3 to v0.2.14. The vulnerability stems from improper validation and sanitization of URLs supplied in the retrieved_contexts parameter when handling multimodal inputs.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶PyPIvibrantlabsai/ragas0.2.3 — 0.3.0-rc1

▶NVDvibrantlabsai/ragas0.2.3 — 0.2.14

▶CVEListV5vibrantlabsai/ragas4 versions+3

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

VulDB

vibrantlabsai RAGAS up to 0.4.3 Collections util.py _try_process_local_file/_try_process_url retrieved_contexts server-side request forgery↗2026-04-19

▶

GHSA

RAGAS has an Arbitrary File Read vulnerability↗2026-03-05

▶

OSV

RAGAS has an Arbitrary File Read vulnerability↗2026-03-05

▶

📋Vendor Advisories

Red Hat

ragas: arbitrary file read via improper URL validation in multimodal inputs↗2026-03-05

▶

🕵️Threat Intelligence

Wiz

CVE-2025-45691 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶