Server-Side Request Forgery Vulnerability in Dify by Langgenius
CVE-2025-0184
6.5MEDIUM
Summary
A vulnerability was found in Dify, a product by Langgenius, where a Server-Side Request Forgery (SSRF) could be exploited through the 'Create Knowledge' feature. This issue arises during the upload of DOCX files that contain external relationships, which, due to improper handling, allow URLs to be requested directly via the 'requests' module instead of routing through the 'ssrf_proxy'. This oversight poses a risk of exposing sensitive information or facilitating unauthorized access. The vulnerability was addressed and resolved in version 0.11.0.
Affected Version(s)
langgenius/dify < 0.11.0
References
CVSS V3.0
Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved