CVE-2024-10252
Published: 20 March 2025
Summary
CVE-2024-10252 is a high-severity Code Injection (CWE-94) vulnerability in Langgenius Dify. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Other ATLAS/OWASP Terms risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of inputs to the Dify sandbox service, directly preventing SSRF payloads that enable arbitrary Python code injection.
Mandates timely remediation of flaws like CVE-2024-10252 through patching, as demonstrated by the specific GitHub commit fix.
Enforces least privilege in the sandbox environment, limiting the impact of injected code by preventing root-level execution and service deletion.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF vulnerability enables exploitation of public-facing application (T1190), arbitrary Python code execution (T1059.006), root privilege escalation (T1068), and service stop via sandbox deletion (T1489).
NVD Description
A vulnerability in langgenius/dify versions <=v0.9.1 allows for code injection via internal SSRF requests in the Dify sandbox service. This vulnerability enables an attacker to execute arbitrary Python code with root privileges within the sandbox environment, potentially leading to the…
more
deletion of the entire sandbox service and causing irreversible damage.
Deeper analysisAI
CVE-2024-10252 is a code injection vulnerability (CWE-94) in langgenius/dify versions up to and including v0.9.1. The issue resides in the Dify sandbox service, where internal SSRF requests can be abused to execute arbitrary Python code with root privileges within the sandbox environment. This flaw carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
Exploitation requires high privileges (PR:H) and is feasible over the network with low complexity and no user interaction. An attacker with sufficient access can leverage the SSRF to inject and run malicious Python code as root in the sandbox, potentially deleting the entire sandbox service and inflicting irreversible damage with high confidentiality, integrity, and availability impacts.
The vulnerability was addressed via a patch in this GitHub commit: https://github.com/langgenius/dify/commit/4ac99ffe0e1c9f4d7c523908e91bbc7739e0a8d4. Further details, including the report, are available on the Huntr bounty page: https://huntr.com/bounties/62c6c958-96cb-426c-aebc-c41f06b9d7b0. Affected deployments should apply the patch by upgrading beyond v0.9.1.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Enterprise AI Assistants
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Dify (langgenius/dify) is an open-source platform for building and deploying AI-native applications, particularly LLM-based agents and assistants, matching the Enterprise AI Assistants category. The vulnerability is in its sandbox service, used for secure code execution in AI workflows.