CVE-2024-11822
Published: 20 March 2025
Description
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
Security Summary
CVE-2024-11822 is a Server-Side Request Forgery (SSRF) vulnerability, classified as CWE-918, affecting langgenius/dify version 0.9.1. The issue arises from improper handling of the api_endpoint parameter, which allows attackers to make direct requests to internal network services from the vulnerable application.
Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, score 7.5). Exploitation enables unauthorized access to internal servers and potential exposure of sensitive information, including the AWS metadata endpoint.
The primary advisory is available on Huntr.com at https://huntr.com/bounties/f3042029-5d4e-41c6-850d-bbe02fae6592, which details the vulnerability report but does not specify patches or mitigations in the provided information.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SSRF in public-facing app directly enables remote exploitation for initial access (T1190) and facilitates internal network service discovery (T1046) via arbitrary requests to internal endpoints including metadata services.