← Back to CVEs
CVE-2024-10252
HIGH7.2
Description
A vulnerability in langgenius/dify versions <=v0.9.1 allows for code injection via internal SSRF requests in the Dify sandbox service. This vulnerability enables an attacker to execute arbitrary Python code with root privileges within the sandbox environment, potentially leading to the deletion of the entire sandbox service and causing irreversible damage.
CVE Details
CVSS v3.1 Score7.2
SeverityHIGH
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredHIGH
User InteractionNONE
Published3/20/2025
Last Modified7/11/2025
Sourcenvd
Honeypot Sightings0
Affected Products
langgenius:dify
Weaknesses (CWE)
CWE-94
References
https://github.com/langgenius/dify/commit/4ac99ffe0e1c9f4d7c523908e91bbc7739e0a8d4(security@huntr.dev)
https://huntr.com/bounties/62c6c958-96cb-426c-aebc-c41f06b9d7b0(security@huntr.dev)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.