Dify Security Vulnerabilities and Issues — Dify CVE List

Lucene search

LanggeniusDify

9 matches found

CVE•added 2025/03/20 10:15 a.m.•59 views

CVE-2024-12775

langgenius/dify version 0.10.1 contains a Server-Side Request Forgery (SSRF) vulnerability in the test functionality for the Create Custom Tool option via the REST API POST /console/api/workspaces/current/tool-provider/api/test/pre. Attackers can set the url in the servers dictionary in OpenAI's sc...

6.5CVSS6.6AI score0.00052EPSS

CVE•added 2025/03/20 10:15 a.m.•50 views

CVE-2025-1796

A vulnerability in langgenius/dify v0.10.1 allows an attacker to take over any account, including administrator accounts, by exploiting a weak pseudo-random number generator (PRNG) used for generating password reset codes. The application uses random.randint for this purpose, which is not suitable ...

8.8CVSS7AI score0.00079EPSS

CVE•added 2025/03/20 10:15 a.m.•46 views

CVE-2025-0184

A Server-Side Request Forgery (SSRF) vulnerability was identified in langgenius/dify version 0.10.2. The vulnerability occurs in the 'Create Knowledge' section when uploading DOCX files. If an external relationship exists in the DOCX file, the reltype value is requested as a URL using the 'requests...

6.5CVSS6.9AI score0.00053EPSS

CVE•added 2025/03/20 10:15 a.m.•39 views

CVE-2024-10252

A vulnerability in langgenius/dify versions

8.8CVSS9.1AI score0.00081EPSS

CVE•added 2025/03/20 10:15 a.m.•38 views

CVE-2024-11824

A stored cross-site scripting (XSS) vulnerability exists in langgenius/dify version latest, specifically in the chat log functionality. The vulnerability arises because certain HTML tags like and are not disallowed, allowing an attacker to inject malicious HTML into the log via prompts. When an a...

7.6CVSS5.3AI score0.00057EPSS

CVE•added 2025/03/20 10:15 a.m.•37 views

CVE-2024-11850

A stored cross-site scripting (XSS) vulnerability exists in the latest version of langgenius/dify. The vulnerability is due to improper validation and sanitization of user input in SVG markdown support within the chatbot feature. An attacker can exploit this vulnerability by injecting malicious SVG...

6.8CVSS6.2AI score0.00054EPSS

CVE•added 2025/03/20 10:15 a.m.•36 views

CVE-2024-12039

langgenius/dify version v0.10.1 contains a vulnerability where there are no limits applied to the number of code guess attempts for password reset. This allows an unauthenticated attacker to reset owner, admin, or other user passwords within a few hours by guessing the six-digit code, resulting in ...

8.1CVSS7.3AI score0.00146EPSS

CVE•added 2025/03/20 10:15 a.m.•35 views

CVE-2024-11821

A privilege escalation vulnerability exists in langgenius/dify version 0.9.1. This vulnerability allows a normal user to modify Orchestrate instructions for a chatbot created by an admin user. The issue arises because the application does not properly enforce access controls on the endpoint /consol...

4.3CVSS4.8AI score0.00053EPSS

CVE•added 2025/03/20 10:15 a.m.•35 views

CVE-2024-12776

In langgenius/dify v0.10.1, the /forgot-password/resets endpoint does not verify the password reset code, allowing an attacker to reset the password of any user, including administrators. This vulnerability can lead to a complete compromise of the application.

8.1CVSS8.1AI score0.00089EPSS