Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.9
Exploding Gradients RAGAS: Unrestricted File Access Risk
CVE-2025-45691
GHSA-v2xr-wvrv-p969
GHSA-v2xr-wvrv-p969
Summary
A security flaw in Exploding Gradients RAGAS allows an attacker to access any file on the system. This can happen when the software processes certain types of input. Update to the latest version to fix the issue.
What to do
- Update ragas to version 0.3.0-rc1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | ragas | > 0.2.3 , <= 0.3.0-rc1 | 0.3.0-rc1 |
| vibrantlabsai | ragas | > 0.2.3 , <= 0.2.14 | – |
Original title
An Arbitrary File Read vulnerability exists in the ImageTextPromptValue class in Exploding Gradients RAGAS v0.2.3 to v0.2.14. The vulnerability stems from improper validation and sanitization of UR...
Original description
An Arbitrary File Read vulnerability exists in the ImageTextPromptValue class in Exploding Gradients RAGAS v0.2.3 to v0.2.14. The vulnerability stems from improper validation and sanitization of URLs supplied in the retrieved_contexts parameter when handling multimodal inputs.
nvd CVSS3.1
7.5
Vulnerability type
CWE-22
Path Traversal
CWE-770
Allocation of Resources Without Limits
CWE-918
Server-Side Request Forgery (SSRF)
- https://adithyanak.com/ragas-v0214-arbitrary-file-read-vulnerability
- https://github.com/explodinggradients/ragas/blob/e97886ac976465efb60e5949c5d69ba...
- https://github.com/explodinggradients/ragas/pull/1559
- https://github.com/vibrantlabsai/ragas/pull/1991
- https://nvd.nist.gov/vuln/detail/CVE-2025-45691
- https://github.com/vibrantlabsai/ragas/commit/b28433709cbedbb531db79dadcfbdbd3aa...
- https://github.com/advisories/GHSA-v2xr-wvrv-p969
- https://github.com/vibrantlabsai/ragas Product
Published: 5 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026