Cyber Posture

CVE-2024-10252

HighPublic PoC

Published: 20 March 2025

Published
20 March 2025
Modified
11 July 2025
KEV Added
Patch
CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0012 30.0th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may stop or disable services on a system to render those services unavailable to legitimate users.

Security Summary

CVE-2024-10252 is a code injection vulnerability (CWE-94) in langgenius/dify versions up to and including v0.9.1. The issue resides in the Dify sandbox service, where internal SSRF requests can be abused to execute arbitrary Python code with root privileges within the sandbox environment. This flaw carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

Exploitation requires high privileges (PR:H) and is feasible over the network with low complexity and no user interaction. An attacker with sufficient access can leverage the SSRF to inject and run malicious Python code as root in the sandbox, potentially deleting the entire sandbox service and inflicting irreversible damage with high confidentiality, integrity, and availability impacts.

The vulnerability was addressed via a patch in this GitHub commit: https://github.com/langgenius/dify/commit/4ac99ffe0e1c9f4d7c523908e91bbc7739e0a8d4. Further details, including the report, are available on the Huntr bounty page: https://huntr.com/bounties/62c6c958-96cb-426c-aebc-c41f06b9d7b0. Affected deployments should apply the patch by upgrading beyond v0.9.1.

Details

CWE(s)
CWE-94

Affected Products

langgenius
dify
≤ 0.9.1

AI Security Analysis

AI Category
Enterprise AI Assistants
Risk Domain
Other ATLAS/OWASP Terms
OWASP Top 10 for LLMs 2025
None mapped
MITRE ATLAS Techniques
None mapped
Classification Reason
Dify (langgenius/dify) is an open-source platform for building and deploying AI-native applications, particularly LLM-based agents and assistants, matching the Enterprise AI Assistants category. The vulnerability is in its sandbox service, used for secure code execution in AI workflows.

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1489 Service Stop Impact
Adversaries may stop or disable services on a system to render those services unavailable to legitimate users.
attack.mitre.org →
Why these techniques?

SSRF vulnerability enables exploitation of public-facing application (T1190), arbitrary Python code execution (T1059.006), root privilege escalation (T1068), and service stop via sandbox deletion (T1489).

References