CVE-2024-11821
📋 TL;DR
A privilege escalation vulnerability in langgenius/dify version 0.9.1 allows normal users to modify admin-created chatbot configurations. This occurs due to improper access controls on the /console/api/apps/{chatbot-id}/model-config endpoint. Organizations using vulnerable versions of Dify are affected.
💻 Affected Systems
- langgenius/dify
📦 What is this software?
Dify by Langgenius
⚠️ Risk & Real-World Impact
Worst Case
Malicious users could alter chatbot behavior to leak sensitive information, perform unauthorized actions, or disrupt business operations by modifying orchestration instructions.
Likely Case
Users with normal privileges could tamper with chatbot configurations, potentially causing incorrect responses or minor service disruption.
If Mitigated
With proper access controls, only authorized administrators can modify chatbot configurations, limiting impact to intended functionality.
🎯 Exploit Status
Exploitation requires authenticated user access and knowledge of chatbot IDs.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.9.2 or later
Vendor Advisory: https://huntr.com/bounties/76d5986d-3882-4ea7-81cb-f00400e5c6b6
Restart Required: Yes
Instructions:
1. Update Dify to version 0.9.2 or later. 2. Restart the Dify service. 3. Verify the fix by testing access controls.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict access to the vulnerable endpoint using network controls or web application firewall rules.
# Example nginx location block to restrict access
location /console/api/apps/ {
allow 192.168.1.0/24;
deny all;
}
Temporary Role-Based Restriction
allImplement additional middleware to enforce role-based access control on the vulnerable endpoint.
# Custom middleware example (pseudocode)
function checkModelConfigAccess(req, res, next) {
if (req.path.includes('/model-config') && !req.user.isAdmin) {
return res.status(403).send('Access denied');
}
next();
}
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Dify instances from untrusted users.
- Monitor and audit all access to the /console/api/apps/ endpoint for unauthorized modifications.
🔍 How to Verify
Check if Vulnerable:
Test if a non-admin user can successfully send a PUT request to /console/api/apps/{valid-chatbot-id}/model-config with modified configuration data.Check Version:
docker exec dify-web python -c "import dify; print(dify.__version__)" or check package.json for versionVerify Fix Applied:
After patching, verify that non-admin users receive 403 Forbidden when attempting to access the model-config endpoint.📡 Detection & Monitoring
Log Indicators:
- Unauthorized 200 OK responses on PUT /console/api/apps/*/model-config from non-admin users
- Unusual modifications to chatbot configurations outside of admin activity patterns
Network Indicators:
- PUT requests to /console/api/apps/*/model-config from non-admin IP addresses
- Unusual payload sizes or patterns in model-config requests
SIEM Query:
source="dify-logs" AND (uri_path="/console/api/apps/*/model-config" AND http_method="PUT" AND user_role!="admin")