Arbitrary Code Execution Vulnerability in Dify by Langgenius
CVE-2025-3466

9.8CRITICAL

Key Information:

Vendor: Langgenius
Status: Langgenius/dify
Vendor: CVE Published:; 7 July 2025

What is CVE-2025-3466?

Versions 1.1.0 to 1.1.2 of Dify by Langgenius contain a vulnerability that allows unsanitized input in the code node. This issue permits the execution of arbitrary code with elevated permissions, exposing the system to serious security risks. Malicious actors can override critical global JavaScript functions, such as parseInt, bypassing established sandboxing security measures. Consequently, this enables unauthorized access to sensitive data, including secret keys and internal network servers, facilitating lateral movement within the system. The vulnerability has been addressed in version 1.1.3.

Affected Version(s)

langgenius/dify < 1.1.3

References

https://huntr.com/bounties/f8dc17a3-5536-4944-a680-240709...

https://github.com/langgenius/dify/commit/1be0d26c1feb4bc...

CVSS V3.0

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 7, 2025
Vulnerability Reserved
Apr 9, 2025