CVE-2025-1796
📋 TL;DR
This vulnerability in langgenius/dify v0.10.1 allows attackers to predict password reset codes due to a weak pseudo-random number generator (PRNG). Attackers can reset any user's password, including administrators, leading to complete account takeover. All instances running the vulnerable version are affected.
💻 Affected Systems
- langgenius/dify
📦 What is this software?
Dify by Langgenius
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all user accounts including administrators, leading to data theft, privilege escalation, and full control of the application.
Likely Case
Targeted account takeover of specific users, potentially leading to unauthorized access to sensitive data and functionality.
If Mitigated
Limited impact if strong authentication controls, rate limiting, and monitoring are in place to detect suspicious password reset attempts.
🎯 Exploit Status
Exploitation requires access to workflow tools to extract PRNG output and predict future codes. No authentication is needed for password reset requests themselves.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v0.10.2 or later
Vendor Advisory: https://huntr.com/bounties/a60f3039-5394-4e22-8de7-a7da9c6a6e00
Restart Required: No
Instructions:
1. Update to v0.10.2 or later. 2. Verify the update replaced random.randint with a cryptographically secure PRNG for password reset codes. 3. Test password reset functionality.
🔧 Temporary Workarounds
Disable Password Reset
allTemporarily disable the password reset functionality until patching is complete.
Modify application configuration to disable password reset endpoints
Implement Rate Limiting
allAdd strict rate limiting to password reset endpoints to make brute-force prediction attempts more difficult.
Configure rate limiting rules for /api/auth/reset-password and related endpoints
🧯 If You Can't Patch
- Implement multi-factor authentication (MFA) for all accounts to prevent password-only compromise
- Monitor and alert on unusual password reset patterns or multiple reset attempts
🔍 How to Verify
Check if Vulnerable:
Check if using langgenius/dify v0.10.1 and inspect the password reset code generation logic for use of random.randint.Check Version:
Check package.json or application configuration for version informationVerify Fix Applied:
Verify the application version is v0.10.2 or later and confirm password reset codes now use a cryptographically secure PRNG like secrets module.📡 Detection & Monitoring
Log Indicators:
- Multiple password reset requests for different accounts from same source
- Successful password resets followed by immediate login from new IP
Network Indicators:
- Unusual patterns of POST requests to password reset endpoints
- Rapid sequence of password reset attempts
SIEM Query:
source="dify" AND (url_path="/api/auth/reset-password" OR event="password_reset") | stats count by src_ip, user