Vulnerability Overview Vulnerability ID: #792231 Vulnerability Name: LangGenius Dify <= 0.6.9 Server-Side Request Forgery (CWE-918) Vulnerability Type: Server-Side Request Forgery (SSRF) Technical Details: A blind SSRF vulnerability exists in the method. This flaw allows attackers to craft malicious requests and leverage the internal mechanism to securely fetch external resources. Impact Scope Affected Versions: LangGenius Dify <= 0.6.9 Impact Description: - Internal Network Reconnaissance: Attackers can map the internal network. - Cloud Metadata Access: Can retrieve instance metadata and IAM credentials (in AWS/GCP/Azure environments). - Internal Service Interaction: Can trigger state-changing operations based on status (on internal REST APIs). Remediation Remediation Status: Accepted Fixed Version: No specific fixed version provided; upgrade to the latest version is recommended. POC Code