CVE-2024-10252
published 2025-03-20CVE-2024-10252: A vulnerability in langgenius/dify versions <=v0.9.1 allows for code injection via internal SSRF requests in the Dify sandbox service. This vulnerability…
PriorityP347high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
0.75%
50.3th percentile
A vulnerability in langgenius/dify versions <=v0.9.1 allows for code injection via internal SSRF requests in the Dify sandbox service. This vulnerability enables an attacker to execute arbitrary Python code with root privileges within the sandbox environment, potentially leading to the deletion of the entire sandbox service and causing irreversible damage.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| langgenius | dify | <= 0.9.1 | — |
| langgenius | langgenius_dify | >= unspecified < 0.2.10 | 0.2.10 |
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-03-20
Published