Cyber Resilience

CVE-2024-10252

HighPublic PoCRCE

Published: 20 March 2025

Published
20 March 2025
Modified
11 July 2025
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0012 30.0th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-10252 is a high-severity Code Injection (CWE-94) vulnerability in Langgenius Dify. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the LLM/Generative AI Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-10252 is a code injection vulnerability (CWE-94) in langgenius/dify versions up to and including v0.9.1. The issue resides in the Dify sandbox service, where internal SSRF requests can be abused to execute arbitrary Python code with root privileges within the sandbox environment. This flaw carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

Exploitation requires high privileges (PR:H) and is feasible over the network with low complexity and no user interaction. An attacker with sufficient access can leverage the SSRF to inject and run malicious Python code as root in the sandbox, potentially deleting the entire sandbox service and inflicting irreversible damage with high confidentiality, integrity, and availability impacts.

The vulnerability was addressed via a patch in this GitHub commit: https://github.com/langgenius/dify/commit/4ac99ffe0e1c9f4d7c523908e91bbc7739e0a8d4. Further details, including the report, are available on the Huntr bounty page: https://huntr.com/bounties/62c6c958-96cb-426c-aebc-c41f06b9d7b0. Affected deployments should apply the patch by upgrading beyond v0.9.1.

EU & UK References

Vulnerability details

A vulnerability in langgenius/dify versions <=v0.9.1 allows for code injection via internal SSRF requests in the Dify sandbox service. This vulnerability enables an attacker to execute arbitrary Python code with root privileges within the sandbox environment, potentially leading to the…

more

deletion of the entire sandbox service and causing irreversible damage.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: dify

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1489 Service Stop Impact
Adversaries may stop or disable services on a system to render those services unavailable to legitimate users.
Why these techniques?

SSRF vulnerability enables exploitation of public-facing application (T1190), arbitrary Python code execution (T1059.006), root privilege escalation (T1068), and service stop via sandbox deletion (T1489).

CVEs Like This One

CVE-2025-1796Same product: Langgenius Dify
CVE-2024-12039Same product: Langgenius Dify
CVE-2024-11824Same product: Langgenius Dify
CVE-2025-0185Shared CWE-94
CVE-2026-26030Shared CWE-94
CVE-2024-55241Shared CWE-94
CVE-2025-9334Shared CWE-94
CVE-2026-27952Shared CWE-94
CVE-2025-6990Shared CWE-94
CVE-2025-62348Shared CWE-94

Affected Assets

langgenius
dify
≤ 0.9.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of inputs to the Dify sandbox service, directly preventing SSRF payloads that enable arbitrary Python code injection.

prevent

Mandates timely remediation of flaws like CVE-2024-10252 through patching, as demonstrated by the specific GitHub commit fix.

prevent

Enforces least privilege in the sandbox environment, limiting the impact of injected code by preventing root-level execution and service deletion.

References