Skip to main content

Dify CVE-2024-12775

MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2025-03-20 security@huntr.dev
6.5
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 28, 2026 - 18:32 vuln.today
PoC Detected
Jul 14, 2025 - 18:13 vuln.today
Public exploit code
CVE Published
Mar 20, 2025 - 10:15 nvd
MEDIUM 6.5

DescriptionCVE.org

langgenius/dify version 0.10.1 contains a Server-Side Request Forgery (SSRF) vulnerability in the test functionality for the Create Custom Tool option via the REST API POST /console/api/workspaces/current/tool-provider/api/test/pre. Attackers can set the url in the servers dictionary in OpenAI's schema with arbitrary URL targets, allowing them to abuse the victim server's credentials to access unauthorized web resources.

AnalysisAI

langgenius/dify version 0.10.1 contains a Server-Side Request Forgery (SSRF) vulnerability in the test functionality for the Create Custom Tool option via the REST API `POST. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Server-Side Request Forgery (SSRF) (CWE-918), which allows attackers to make the server perform requests to unintended internal or external resources. langgenius/dify version 0.10.1 contains a Server-Side Request Forgery (SSRF) vulnerability in the test functionality for the Create Custom Tool option via the REST API POST /console/api/workspaces/current/tool-provider/api/test/pre. Attackers can set the url in the servers dictionary in OpenAI's schema with arbitrary URL targets, allowing them to abuse the victim server's credentials to access unauthorized web resources. Affected products include: Langgenius Dify. Version information: version 0.10.1.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate and allowlist destination URLs, block requests to internal networks, use network segmentation.

More in Dify

View all
CVE-2025-56157 CRITICAL POC
9.8 Dec 18

Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al

CVE-2026-41948 CRITICAL POC
9.3 May 18

Path traversal in Dify versions 0 through 1.14.1 allows authenticated tenants to escape their authorized tenant path and

CVE-2026-41947 CRITICAL POC
9.3 May 18

Cross-tenant authorization bypass in LangGenius Dify versions through 1.14.1 lets any logged-in editor reroute another t

CVE-2025-1796 HIGH POC
8.8 Mar 20

A vulnerability in langgenius/dify v0.10.1 allows an attacker to take over any account, including administrator accounts

CVE-2026-61461 HIGH POC
8.7 Jul 10

SQL injection in Dify's MyScale vector store backend (versions before 1.16.0-rc1) lets authenticated attackers execute a

CVE-2026-41949 HIGH POC
8.2 May 18

Cross-tenant document disclosure in Dify 1.14.1 and prior allows any authenticated user to read up to 3,000 characters o

CVE-2024-12039 HIGH POC
8.1 Mar 20

langgenius/dify version v0.10.1 contains a vulnerability where there are no limits applied to the number of code guess a

CVE-2024-12776 HIGH POC
8.1 Mar 20

In langgenius/dify v0.10.1, the `/forgot-password/resets` endpoint does not verify the password reset code, allowing an

CVE-2025-43862 HIGH POC
7.6 Apr 25

Dify is an open-source LLM app development platform. Rated high severity (CVSS 7.6), this vulnerability is remotely expl

CVE-2024-11824 HIGH POC
7.6 Mar 20

A stored cross-site scripting (XSS) vulnerability exists in langgenius/dify version latest, specifically in the chat log

CVE-2024-11822 HIGH POC
7.5 Mar 20

langgenius/dify version 0.9.1 contains a Server-Side Request Forgery (SSRF) vulnerability. Rated high severity (CVSS 7.5

CVE-2025-3466 HIGH POC
7.2 Jul 07

CVE-2025-3466 is a security vulnerability (CVSS 7.2). Risk factors: public PoC available. Vendor patch is available.

Share

CVE-2024-12775 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy