CVE-2024-11822

High CVSS: 7.5

langgenius/dify version 0.9.1 contains a Server-Side Request Forgery (SSRF) vulnerability. The vulnerability exists due to improper handling of the api_endpoint parameter, allowing an attacker to make direct requests to internal network services. This can lead to unauthorized access to internal servers and potentially expose sensitive information, including access to the AWS metadata endpoint.

Vendor

Dify

Product

Dify

CWE

CWE-918

Yayın Tarihi

2025-03-20 10:15:25

Güncelleme

2025-04-01 20:35:15

Source Identifier

security@huntr.dev

KEV Date Added

Kategoriler

CWE-918 Dify HIGH Dify 2025

Referanslar

https://huntr.com/bounties/f3042029-5d4e-41c6-850d-bbe02fae6592 https://huntr.com/bounties/f3042029-5d4e-41c6-850d-bbe02fae6592

Benzer Kayıtlar

Medium

CVE-2026-21866

Dify is an open-source LLM app development platform. Prior to 1.11.2, Dify is vulnerable to a stored XSS issue when rend…

Medium

CVE-2026-28288

Dify is an open-source LLM app development platform. Prior to 1.9.0, responses from the Dify API to existing and non-exi…

Medium

CVE-2026-26023

Dify is an open-source LLM app development platform. Prior to 1.13.0, a cross site scripting vulnerability has been foun…

High

CVE-2025-67732

Dify is an open-source LLM app development platform. Prior to version 1.11.0, the API key is exposed in plaintext to the…

Medium

CVE-2025-56520

Dify v1.6.0 was discovered to contain a Server-Side Request Forgery (SSRF) via the component controllers.console.remote_…

High

CVE-2025-0185

A vulnerability in the Dify Tools' Vanna module of the langgenius/dify repository allows for a Pandas Query Injection in…