Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-0184— Server-Side Request Forgery (SSRF) in langgenius/dify

EPSS 0.29% · P52
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2025-0184

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Server-Side Request Forgery (SSRF) in langgenius/dify
Source: NVD (National Vulnerability Database)
Vulnerability Description
A Server-Side Request Forgery (SSRF) vulnerability was identified in langgenius/dify version 0.10.2. The vulnerability occurs in the 'Create Knowledge' section when uploading DOCX files. If an external relationship exists in the DOCX file, the reltype value is requested as a URL using the 'requests' module instead of the 'ssrf_proxy', leading to an SSRF vulnerability. This issue was fixed in version 0.11.0.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
服务端请求伪造(SSRF)
Source: NVD (National Vulnerability Database)
Vulnerability Title
dify 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
dify是LangGenius开源的一个开源的 LLM 应用程序开发平台。 dify 0.10.2版本存在代码问题漏洞,该漏洞源于Create Knowledge部分上传DOCX文件时容易受到服务端请求伪造攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
langgeniuslanggenius/dify unspecified ~ 0.11.0 -

II. Public POCs for CVE-2025-0184

#POC DescriptionSource LinkShenlong Link
1YISF 2025, CVE-2025-0184https://github.com/m0d0ri205/wargame_Re-LSPOC Details
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2025-0184

登录查看更多情报信息。

Same Patch Batch · langgenius · 2025-03-20 · 11 CVEs total

CVE-2025-0185Pandas Query Injection in langgenius/dify
CVE-2025-1796Admin account takeover through weak Pseudo-Random number generator used in generating pass
CVE-2024-12775SSRF in langgenius/dify
CVE-2024-12039Improper Restriction of Excessive Authentication Attempts in langgenius/dify
CVE-2024-12776Authentication Bypass in langgenius/dify
CVE-2024-11822Server-Side Request Forgery (SSRF) in langgenius/dify
CVE-2024-11850Stored XSS in langgenius/dify
CVE-2024-11824Stored XSS in langgenius/dify
CVE-2024-11821Privilege Escalation in langgenius/dify
CVE-2024-10252Code Injection in langgenius/dify

IV. Related Vulnerabilities

Same product: langgenius/dify
Same vendor: langgenius
Same weakness: CWE-918

V. Comments for CVE-2025-0184

No comments yet

Leave a comment