Server-Side Request Forgery in langgenius/dify Affects Custom Tool Feature
CVE-2024-12775
6.5MEDIUM
What is CVE-2024-12775?
The langgenius/dify version 0.10.1 is susceptible to a Server-Side Request Forgery (SSRF) vulnerability within its test functionality for the Create Custom Tool feature. Through the REST API endpoint POST /console/api/workspaces/current/tool-provider/api/test/pre
, malicious users can manipulate the url
parameter within the servers
dictionary based on OpenAI's schema. This exposure enables attackers to leverage the victim server's credentials and access internal or sensitive web resources without authorization, potentially compromising the integrity and confidentiality of the server's data.
Affected Version(s)
langgenius/dify <= unspecified