CVE-2024-12775
📋 TL;DR
This SSRF vulnerability in Dify AI allows attackers to make the server send unauthorized requests to internal or external systems using the server's network position and credentials. It affects all users running Dify version 0.10.1 who have access to the REST API test functionality. The vulnerability enables attackers to potentially access sensitive internal services or external resources.
💻 Affected Systems
- langgenius/dify
📦 What is this software?
Dify by Langgenius
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access internal cloud metadata services (like AWS IMDS), internal databases, or other sensitive systems, potentially leading to full infrastructure compromise and data exfiltration.
Likely Case
Attackers scan internal networks, access internal web applications, or make requests to external services that reveal information about the server's network environment.
If Mitigated
With proper network segmentation and egress filtering, impact is limited to what the server can reach within allowed network boundaries.
🎯 Exploit Status
Exploit requires API access but is simple to execute; public proof-of-concept exists in the huntr.com reference
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.10.2 or later
Vendor Advisory: https://github.com/langgenius/dify/security/advisories
Restart Required: Yes
Instructions:
1. Update Dify to version 0.10.2 or later. 2. Pull latest Docker image if using containers. 3. Restart the Dify service. 4. Verify the fix by testing the vulnerable endpoint.
🔧 Temporary Workarounds
Network Egress Filtering
linuxRestrict outbound network connections from the Dify server to only necessary destinations
iptables -A OUTPUT -p tcp --dport 80 -j DROP
iptables -A OUTPUT -p tcp --dport 443 -j DROP
API Access Restriction
allRestrict access to the vulnerable API endpoint using web application firewall or reverse proxy rules
nginx: location ~* /console/api/workspaces/current/tool-provider/api/test/pre { deny all; }
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the Dify server from sensitive internal systems
- Deploy a web application firewall with SSRF protection rules to block malicious requests
🔍 How to Verify
Check if Vulnerable:
Test the API endpoint POST /console/api/workspaces/current/tool-provider/api/test/pre with a controlled external URL in the servers parameterCheck Version:
docker inspect dify-api | grep version || check package.json in installation directoryVerify Fix Applied:
After patching, attempt the same test; requests to arbitrary URLs should be blocked or sanitized📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from Dify server
- Requests to internal IP addresses or cloud metadata services
- Multiple failed API test requests
Network Indicators:
- HTTP requests from Dify server to unexpected destinations
- Requests to internal network ranges from the application server
SIEM Query:
source="dify" AND (url="169.254.169.254" OR url="metadata.google.internal" OR dst_ip IN [10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16])