CVE-2024-11822

HighPublic PoC

Published: 20 March 2025

Published

20 March 2025

Modified

01 April 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0029 52.4th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-11822 is a high-severity SSRF (CWE-918) vulnerability in Dify Dify. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 47.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation and filtering of the api_endpoint parameter to prevent attackers from injecting internal network URLs causing SSRF.

SC-7 Boundary Protection good match

preventdetect

Implements boundary protections like firewalls or proxies to monitor and block unauthorized outbound requests from the application to internal services such as the AWS metadata endpoint.

AC-4 Information Flow Enforcement good match

prevent

Enforces information flow control policies that restrict the application's communications to internal network resources, mitigating SSRF exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1046 Network Service Discovery Discovery

Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.

attack.mitre.org →

Why these techniques?

SSRF in public-facing app directly enables remote exploitation for initial access (T1190) and facilitates internal network service discovery (T1046) via arbitrary requests to internal endpoints including metadata services.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

langgenius/dify version 0.9.1 contains a Server-Side Request Forgery (SSRF) vulnerability. The vulnerability exists due to improper handling of the api_endpoint parameter, allowing an attacker to make direct requests to internal network services. This can lead to unauthorized access to internal…

servers and potentially expose sensitive information, including access to the AWS metadata endpoint.

Deeper analysisAI

CVE-2024-11822 is a Server-Side Request Forgery (SSRF) vulnerability, classified as CWE-918, affecting langgenius/dify version 0.9.1. The issue arises from improper handling of the api_endpoint parameter, which allows attackers to make direct requests to internal network services from the vulnerable application.

Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, score 7.5). Exploitation enables unauthorized access to internal servers and potential exposure of sensitive information, including the AWS metadata endpoint.

The primary advisory is available on Huntr.com at https://huntr.com/bounties/f3042029-5d4e-41c6-850d-bbe02fae6592, which details the vulnerability report but does not specify patches or mitigations in the provided information.