Server-Side Request Forgery Flaw in Dify by langgenius
CVE-2024-11822

7.5HIGH

Key Information:

Vendor
Langgenius
Vendor
CVE Published:
20 March 2025

Summary

The Dify application by langgenius contains a Server-Side Request Forgery (SSRF) vulnerability due to improper handling of the api_endpoint parameter. This weakness permits attackers to exploit the application, facilitating unauthorized requests to internal network services. As a result, sensitive information may be compromised, including potential access to critical resources like the AWS metadata endpoint, which could lead to broader security risks for organizations utilizing this software.

Affected Version(s)

langgenius/dify <= unspecified

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

CVSS V3.0

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.