Dify Security Vulnerabilities and Issues — Dify CVE List

Lucene search

LanggeniusDify

8 matches found

CVE•added 2025/03/20 10:15 a.m.•59 views

CVE-2024-12775

langgenius/dify version 0.10.1 contains a Server-Side Request Forgery (SSRF) vulnerability in the test functionality for the Create Custom Tool option via the REST API POST /console/api/workspaces/current/tool-provider/api/test/pre. Attackers can set the url in the servers dictionary in OpenAI's sc...

6.5CVSS6.6AI score0.00052EPSS

CVE•added 2025/04/18 4:15 p.m.•58 views

CVE-2025-32795

Dify is an open-source LLM app development platform. Prior to version 0.6.12, a vulnerability was identified in the DIFY where normal users are improperly granted permissions to edit APP names, descriptions and icons. This access control flaw allows non-admin users to modify app details, despite be...

6.5CVSS7AI score0.00033EPSS

CVE•added 2025/04/18 4:15 p.m.•57 views

CVE-2025-32796

Dify is an open-source LLM app development platform. Prior to version 0.6.12, a vulnerability was identified in the DIFY where normal users can enable or disable apps through the API, even though the web UI button for this action is disabled and normal users are not permitted to make such changes. ...

6.5CVSS6.9AI score0.0005EPSS

CVE•added 2025/04/18 1:15 p.m.•55 views

CVE-2025-32790

Dify is an open-source LLM app development platform. In versions 0.6.8 and prior, a vulnerability was identified in the DIFY AI where normal users are improperly granted permissions to export APP DSL. The feature in '/export' should only allow administrator users to export DSL. A workaround for thi...

6.3CVSS6.1AI score0.00039EPSS

CVE•added 2025/04/28 4:15 p.m.•51 views

CVE-2025-43854

DIFY is an open-source LLM app development platform. Prior to version 1.3.0, a clickjacking vulnerability was found in the default setup of the DIFY application, allowing malicious actors to trick users into clicking on elements of the web page without their knowledge or consent. This can lead to u...

6.1CVSS7AI score0.00036EPSS

CVE•added 2025/03/20 10:15 a.m.•46 views

CVE-2025-0184

A Server-Side Request Forgery (SSRF) vulnerability was identified in langgenius/dify version 0.10.2. The vulnerability occurs in the 'Create Knowledge' section when uploading DOCX files. If an external relationship exists in the DOCX file, the reltype value is requested as a URL using the 'requests...

6.5CVSS6.9AI score0.00053EPSS

CVE•added 2025/03/20 10:15 a.m.•37 views

CVE-2024-11850

A stored cross-site scripting (XSS) vulnerability exists in the latest version of langgenius/dify. The vulnerability is due to improper validation and sanitization of user input in SVG markdown support within the chatbot feature. An attacker can exploit this vulnerability by injecting malicious SVG...

6.8CVSS6.2AI score0.00054EPSS

CVE•added 2025/06/17 11:15 p.m.•6 views

CVE-2025-49149

Dify is an open-source LLM app development platform. In version 1.2.0, there is insufficient filtering of user input by web applications. Attackers can use website vulnerabilities to inject malicious script code into web pages. This may result in a cross-site scripting (XSS) attack when a user brow...

6.1CVSS5.9AI score0.00045EPSS