CVE-2024-10252
Published: 20 March 2025
Summary
CVE-2024-10252 is a high-severity Code Injection (CWE-94) vulnerability in Langgenius Dify. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as LLM Application Platforms; in the LLM/Generative AI Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-10252 is a code injection vulnerability (CWE-94) in langgenius/dify versions up to and including v0.9.1. The issue resides in the Dify sandbox service, where internal SSRF requests can be abused to execute arbitrary Python code with root privileges within the sandbox environment. This flaw carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
Exploitation requires high privileges (PR:H) and is feasible over the network with low complexity and no user interaction. An attacker with sufficient access can leverage the SSRF to inject and run malicious Python code as root in the sandbox, potentially deleting the entire sandbox service and inflicting irreversible damage with high confidentiality, integrity, and availability impacts.
The vulnerability was addressed via a patch in this GitHub commit: https://github.com/langgenius/dify/commit/4ac99ffe0e1c9f4d7c523908e91bbc7739e0a8d4. Further details, including the report, are available on the Huntr bounty page: https://huntr.com/bounties/62c6c958-96cb-426c-aebc-c41f06b9d7b0. Affected deployments should apply the patch by upgrading beyond v0.9.1.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7125
Vulnerability details
A vulnerability in langgenius/dify versions <=v0.9.1 allows for code injection via internal SSRF requests in the Dify sandbox service. This vulnerability enables an attacker to execute arbitrary Python code with root privileges within the sandbox environment, potentially leading to the…
more
deletion of the entire sandbox service and causing irreversible damage.
- CWE(s)
AI Security AnalysisAI
- AI Category
- LLM Application Platforms
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: dify
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF vulnerability enables exploitation of public-facing application (T1190), arbitrary Python code execution (T1059.006), root privilege escalation (T1068), and service stop via sandbox deletion (T1489).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of inputs to the Dify sandbox service, directly preventing SSRF payloads that enable arbitrary Python code injection.
Mandates timely remediation of flaws like CVE-2024-10252 through patching, as demonstrated by the specific GitHub commit fix.
Enforces least privilege in the sandbox environment, limiting the impact of injected code by preventing root-level execution and service deletion.