← Retour aux CVEs
CVE-2025-3466
HIGH7.2
Description
langgenius/dify versions 1.1.0 to 1.1.2 are vulnerable to unsanitized input in the code node, allowing execution of arbitrary code with full root permissions. The vulnerability arises from the ability to override global functions in JavaScript, such as parseInt, before sandbox security restrictions are imposed. This can lead to unauthorized access to secret keys, internal network servers, and lateral movement within dify.ai. The issue is resolved in version 1.1.3.
Details CVE
Score CVSS v3.17.2
SeveriteHIGH
Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Vecteur d'attaqueNETWORK
ComplexiteLOW
Privileges requisHIGH
Interaction utilisateurNONE
Publie7/7/2025
Derniere modification7/10/2025
Sourcenvd
Observations honeypot0
Produits affectes
langgenius:dify
Faiblesses (CWE)
CWE-1100
References
https://github.com/langgenius/dify/commit/1be0d26c1feb4bcbbdd2b4ae4eeb25874aadaddb(security@huntr.dev)
https://huntr.com/bounties/f8dc17a3-5536-4944-a680-24070903cd2d(security@huntr.dev)
Correlations IOC
Aucune correlation enregistree
This product uses data from the NVD API but is not endorsed or certified by the NVD.