CVE-2025-1796

A vulnerability in langgenius/dify v0.10.1 allows an attacker to take over any account, including administrator accounts, by exploiting a weak pseudo-random number generator (PRNG) used for generating password reset codes. The application uses `random.randint` for this purpose, which is not suitable for cryptographic use and can be cracked. An attacker with access to workflow tools can extract the PRNG output and predict future password reset codes, leading to a complete compromise of the application.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://huntr.com/bounties/a60f3039-5394-4e22-8de7-a7da9c6a6e00	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:langgenius:dify:0.10.1:*:*:*:*:node.js:*:*

History

16 Jul 2025, 15:15

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~7.5~~	v2 : unknown v3 : 8.8
First Time		Langgenius dify Langgenius
CPE		cpe:2.3:a:langgenius:dify:0.10.1:::::node.js::
Summary		(es) Una vulnerabilidad en langgenius/dify v0.10.1 permite a un atacante tomar el control de cualquier cuenta, incluidas las de administrador, explotando un generador de números pseudoaleatorios (PRNG) débil, utilizado para generar códigos de restablecimiento de contraseña. La aplicación utiliza `random.randint` para este propósito, que no es apto para uso criptográfico y puede ser descifrado. Un atacante con acceso a herramientas de flujo de trabajo puede extraer la salida del PRNG y predecir futuros códigos de restablecimiento de contraseña, lo que compromete completamente la aplicación.
References	~~() https://huntr.com/bounties/a60f3039-5394-4e22-8de7-a7da9c6a6e00 -~~	() https://huntr.com/bounties/a60f3039-5394-4e22-8de7-a7da9c6a6e00 - Exploit, Third Party Advisory

20 Mar 2025, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-20 10:15

Updated : 2025-07-16 15:15

NVD link : CVE-2025-1796

Mitre link : CVE-2025-1796

CVE.ORG link : CVE-2025-1796

JSON object : View

Products Affected

langgenius

dify

CWE

CWE-338

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

{"id": "CVE-2025-1796", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "security@huntr.dev", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.6}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2025-03-20T10:15:54.157", "references": [{"url": "https://huntr.com/bounties/a60f3039-5394-4e22-8de7-a7da9c6a6e00", "tags": ["Exploit", "Third Party Advisory"], "source": "security@huntr.dev"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security@huntr.dev", "description": [{"lang": "en", "value": "CWE-338"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in langgenius/dify v0.10.1 allows an attacker to take over any account, including administrator accounts, by exploiting a weak pseudo-random number generator (PRNG) used for generating password reset codes. The application uses `random.randint` for this purpose, which is not suitable for cryptographic use and can be cracked. An attacker with access to workflow tools can extract the PRNG output and predict future password reset codes, leading to a complete compromise of the application."}, {"lang": "es", "value": "Una vulnerabilidad en langgenius/dify v0.10.1 permite a un atacante tomar el control de cualquier cuenta, incluidas las de administrador, explotando un generador de n\u00fameros pseudoaleatorios (PRNG) d\u00e9bil, utilizado para generar c\u00f3digos de restablecimiento de contrase\u00f1a. La aplicaci\u00f3n utiliza `random.randint` para este prop\u00f3sito, que no es apto para uso criptogr\u00e1fico y puede ser descifrado. Un atacante con acceso a herramientas de flujo de trabajo puede extraer la salida del PRNG y predecir futuros c\u00f3digos de restablecimiento de contrase\u00f1a, lo que compromete completamente la aplicaci\u00f3n."}], "lastModified": "2025-07-16T15:15:54.623", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:langgenius:dify:0.10.1:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "BBCA5D7F-39A8-4B8F-9DFF-383365E0AFCD"}], "operator": "OR"}]}], "sourceIdentifier": "security@huntr.dev"}