CVE-2024-12775

langgenius/dify version 0.10.1 contains a Server-Side Request Forgery (SSRF) vulnerability in the test functionality for the Create Custom Tool option via the REST API `POST /console/api/workspaces/current/tool-provider/api/test/pre`. Attackers can set the `url` in the `servers` dictionary in OpenAI's schema with arbitrary URL targets, allowing them to abuse the victim server's credentials to access unauthorized web resources.
Configurations

No configuration.

History

20 Mar 2025, 10:15

Type Values Removed Values Added
New CVE

Information

Published : 2025-03-20 10:15

Updated : 2025-03-20 10:15


NVD link : CVE-2024-12775

Mitre link : CVE-2024-12775

CVE.ORG link : CVE-2024-12775


JSON object : View

Products Affected

No product.

CWE
CWE-918

Server-Side Request Forgery (SSRF)