Account Takeover Vulnerability in langgenius/dify by Weak PRNG
CVE-2025-1796
7.5HIGH
What is CVE-2025-1796?
A security vulnerability in langgenius/dify version 0.10.1 allows attackers to exploit a suboptimal pseudo-random number generator for generating password reset codes, potentially enabling unauthorized account access. The application uses a non-cryptographic PRNG method (random.randint
), making it possible for adversaries to predict future password reset codes after gaining access to workflow tools. This exploit could lead to a complete compromise of user accounts, including those of administrators.
Affected Version(s)
langgenius/dify <= unspecified