CVE-2024-11822: Server-Side Request Forgery (SSRF) in langgenius/dify
First published: Thu Mar 20 2025(Updated: )
langgenius/dify version 0.9.1 contains a Server-Side Request Forgery (SSRF) vulnerability. The vulnerability exists due to improper handling of the api_endpoint parameter, allowing an attacker to make direct requests to internal network services. This can lead to unauthorized access to internal servers and potentially expose sensitive information, including access to the AWS metadata endpoint.
Credit: security@huntr.dev
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Dify | ||
| Dify | =0.9.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2024-11822?
The severity of CVE-2024-11822 is significant due to its potential for exploiting internal network services.
How do I fix CVE-2024-11822?
To fix CVE-2024-11822, ensure proper validation and sanitization of the api_endpoint parameter in your application.
What impacts can occur from CVE-2024-11822?
CVE-2024-11822 can lead to unauthorized access to internal services, compromising system security.
Which versions of langgenius/dify are affected by CVE-2024-11822?
CVE-2024-11822 affects langgenius/dify version 0.9.1.
How can an attacker exploit CVE-2024-11822?
An attacker can exploit CVE-2024-11822 by crafting requests that manipulate the api_endpoint parameter to access internal services.
- agent/references
- agent/title
- agent/weakness
- agent/type
- agent/first-publish-date
- agent/description
- agent/author
- agent/source
- collector/mitre-cve
- source/MITRE
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/severity
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- agent/event
- collector/nvd-api
- source/NVD
- vendor/langgenius
- canonical/dify
- vendor/dify
- version/dify/0.9.1