CVE-2025-0185

High CVSS: 8.8

A vulnerability in the Dify Tools' Vanna module of the langgenius/dify repository allows for a Pandas Query Injection in the latest version. The vulnerability occurs in the function `vn.get_training_plan_generic(df_information_schema)`, which does not properly sanitize user inputs before executing queries using the Pandas library. This can potentially lead to Remote Code Execution (RCE) if exploited.

Vendor

Dify

Product

Dify

CWE

CWE-94

Yayın Tarihi

2025-03-20 10:15:51

Güncelleme

2025-03-27 19:18:14

Source Identifier

security@huntr.dev

KEV Date Added

Kategoriler

CWE-94 Dify HIGH Dify 2025

Referanslar

https://huntr.com/bounties/7d9eb9b2-7b86-45ed-89bd-276c1350db7e https://huntr.com/bounties/7d9eb9b2-7b86-45ed-89bd-276c1350db7e

Benzer Kayıtlar

Medium

CVE-2026-21866

Dify is an open-source LLM app development platform. Prior to 1.11.2, Dify is vulnerable to a stored XSS issue when rend…

Medium

CVE-2026-28288

Dify is an open-source LLM app development platform. Prior to 1.9.0, responses from the Dify API to existing and non-exi…

Medium

CVE-2026-26023

Dify is an open-source LLM app development platform. Prior to 1.13.0, a cross site scripting vulnerability has been foun…

High

CVE-2025-67732

Dify is an open-source LLM app development platform. Prior to version 1.11.0, the API key is exposed in plaintext to the…

Medium

CVE-2025-56520

Dify v1.6.0 was discovered to contain a Server-Side Request Forgery (SSRF) via the component controllers.console.remote_…

High

CVE-2024-11822

langgenius/dify version 0.9.1 contains a Server-Side Request Forgery (SSRF) vulnerability. The vulnerability exists due…