CVE-2024-12775

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-12775
langgenius/dify version 0.10.1 contains a Server-Side Request Forgery (SSRF) vulnerability in the test functionality for the Create Custom Tool option via the REST API `POST /console/api/workspaces/current/tool-provider/api/test/pre`. Attackers can set the `url` in the `servers` dictionary in OpenAI's schema with arbitrary URL targets, allowing them to abuse the victim server's credentials to access unauthorized web resources.

6.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector : AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://huntr.com/bounties/e90e929a-9bc9-46ad-a5e5-1f6f124d0f12 Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:langgenius:dify:0.10.1:*:*:*:*:node.js:*:*
History

14 Jul 2025, 18:13

Type Values Removed Values Added
First Time Langgenius dify
Langgenius
Summary
  • (es) La versión 0.10.1 de langgenius/dify contiene una vulnerabilidad de Server-Side Request Forgery (SSRF) en la funcionalidad de prueba de la opción "Crear herramienta personalizada" mediante la API REST `POST /console/api/workspaces/current/tool-provider/api/test/pre`. Los atacantes pueden configurar la `url` en el diccionario `servers` del esquema de OpenAI con URLs arbitrarias, lo que les permite abusar de las credenciales del servidor víctima para acceder a recursos web no autorizados.
CPE cpe:2.3:a:langgenius:dify:0.10.1:*:*:*:*:node.js:*:*
References () https://huntr.com/bounties/e90e929a-9bc9-46ad-a5e5-1f6f124d0f12 - () https://huntr.com/bounties/e90e929a-9bc9-46ad-a5e5-1f6f124d0f12 - Exploit, Third Party Advisory

20 Mar 2025, 10:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-03-20 10:15

Updated : 2025-07-14 18:13

NVD link : CVE-2024-12775

Mitre link : CVE-2024-12775

CVE.ORG link : CVE-2024-12775

JSON object : View

Products Affected

langgenius

  • dify
CWE
CWE-918

Server-Side Request Forgery (SSRF)