Code Injection Vulnerability in Dify Sandbox Service by Langgenius
CVE-2024-10252

8.8HIGH

Key Information:

Vendor: Langgenius
Status: Langgenius/dify
Vendor: CVE Published:; 20 March 2025

Summary

A code injection vulnerability in the Dify sandbox service, affecting langgenius/dify versions up to v0.9.1, allows attackers to exploit internal Server-Side Request Forgery (SSRF) requests. By leveraging this flaw, an attacker can execute arbitrary Python code with root privileges in the sandbox environment. This may result in the deletion of the entire sandbox service, potentially causing irreversible damage and compromising the application's integrity.

Affected Version(s)

langgenius/dify < 0.2.10

References

https://huntr.com/bounties/62c6c958-96cb-426c-aebc-c41f06...

https://github.com/langgenius/dify/commit/4ac99ffe0e1c9f4...

CVSS V3.0

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 20, 2025
Vulnerability Reserved
Oct 22, 2024