Password Reset Vulnerability in langgenius/dify by LangGenius
CVE-2024-12039

7.4HIGH

Key Information:

Vendor: Langgenius
Status: Langgenius/dify
Vendor: CVE Published:; 20 March 2025

Summary

The langgenius/dify version v0.10.1 is susceptible to a security flaw that permits unauthenticated attackers to exploit the password reset mechanism. This vulnerability arises from the absence of restrictions on the number of attempts allowed for guessing the six-digit code used in the reset process. Consequently, attackers can potentially gain unauthorized access to owner, admin, or other user accounts, leading to the complete compromise of the application in a short timeframe.

Affected Version(s)

langgenius/dify <= unspecified

References

https://huntr.com/bounties/61af30d5-6055-4c6c-8a55-3fa43d...

CVSS V3.0

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 20, 2025
Vulnerability Reserved
Dec 2, 2024