CVE-2024-12039
Published: 20 March 2025
Description
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
Security Summary
CVE-2024-12039 is a vulnerability in langgenius/dify version v0.10.1, specifically in the password reset mechanism, where no limits are applied to the number of code guess attempts for the six-digit reset code. This issue, classified under CWE-307 (Improper Restriction of Excessive Authentication Attempts), carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-03-20.
An unauthenticated attacker can exploit this vulnerability over the network by brute-forcing the six-digit password reset code without rate limiting or attempt restrictions. Within a few hours of guessing, the attacker can successfully reset passwords for owner, admin, or other user accounts, resulting in complete compromise of the application, including high confidentiality, integrity, and availability impacts.
The primary reference for advisories and mitigation is available at https://huntr.com/bounties/61af30d5-6055-4c6c-8a55-3fa43dada512, which details the vulnerability discovered through a bug bounty program.
Details
- CWE(s)
Affected Products
AI Security Analysis
- AI Category
- Enterprise AI Assistants
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- MITRE ATLAS Techniques
- None mapped
- Classification Reason
- Dify (langgenius/dify) is an open-source platform for building and deploying AI applications, including LLM-based agents and assistants, fitting the Enterprise AI Assistants category. The vulnerability is in this AI platform, confirmed via AI/ML bug bounty advisory.
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability lacks limits on password reset code guess attempts, enabling unauthenticated attackers to brute force the six-digit code (T1110.001: Password Guessing) and compromise user accounts.