Pandas Query Injection Vulnerability in Dify Tools by Langgenius
CVE-2025-0185

8.8HIGH

Key Information:

Vendor: Langgenius
Status: Langgenius/dify
Vendor: CVE Published:; 20 March 2025

What is CVE-2025-0185?

A vulnerability in the Vanna module of Dify Tools from Langgenius allows attackers to execute unsanitized user inputs, potentially leading to Remote Code Execution. The flaw is located in the function vn.get_training_plan_generic(df_information_schema), where inadequate input sanitization when utilizing the Pandas library exposes the system to serious security risks.

Affected Version(s)

langgenius/dify <= unspecified

References

https://huntr.com/bounties/7d9eb9b2-7b86-45ed-89bd-276c13...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

CVSS V3.0

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2025
Vulnerability Reserved
Jan 2, 2025