Server-Side Request Forgery Vulnerability in Dify by Langgenius
CVE-2025-0184

6.5MEDIUM

Key Information:

Vendor
Langgenius
Status
Langgenius/dify
Vendor
CVE Published:
20 March 2025

Summary

A vulnerability was found in Dify, a product by Langgenius, where a Server-Side Request Forgery (SSRF) could be exploited through the 'Create Knowledge' feature. This issue arises during the upload of DOCX files that contain external relationships, which, due to improper handling, allow URLs to be requested directly via the 'requests' module instead of routing through the 'ssrf_proxy'. This oversight poses a risk of exposing sensitive information or facilitating unauthorized access. The vulnerability was addressed and resolved in version 0.11.0.

Affected Version(s)

langgenius/dify < 0.11.0

References

https://huntr.com/bounties/a7eac4ae-5d5e-4ac1-894b-7a8cce...
https://github.com/langgenius/dify/commit/c135ec4b08d946a...

CVSS V3.0

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-0184 : Server-Side Request Forgery Vulnerability in Dify by Langgenius | SecurityVulnerability.io