CVE-2024-10252: Code Injection in langgenius/dify
First published: Thu Mar 20 2025(Updated: )
A vulnerability in langgenius/dify versions <=v0.9.1 allows for code injection via internal SSRF requests in the Dify sandbox service. This vulnerability enables an attacker to execute arbitrary Python code with root privileges within the sandbox environment, potentially leading to the deletion of the entire sandbox service and causing irreversible damage.
Credit: security@huntr.dev
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Dify | <=0.9.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-10252?
CVE-2024-10252 is a critical vulnerability that allows code injection with root privileges.
How do I fix CVE-2024-10252?
To fix CVE-2024-10252, upgrade langgenius/dify to a version greater than 0.9.1.
What systems are affected by CVE-2024-10252?
CVE-2024-10252 affects langgenius/dify versions up to and including 0.9.1.
What type of attack does CVE-2024-10252 enable?
CVE-2024-10252 enables an attacker to execute arbitrary Python code within the Dify sandbox.
Is CVE-2024-10252 exploitable remotely?
Yes, CVE-2024-10252 is exploitable via internal SSRF requests.
- agent/references
- agent/title
- agent/weakness
- agent/type
- agent/first-publish-date
- agent/description
- collector/nvd-api
- source/NVD
- agent/author
- agent/severity
- agent/source
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/tags
- agent/softwarecombine
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/langgenius
- canonical/dify