CVE-2024-12039
Published: 20 March 2025
Summary
CVE-2024-12039 is a high-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Langgenius Dify. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Password Guessing (T1110.001); ranked in the top 25.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as LLM Application Platforms; in the Other ATLAS/OWASP Terms risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and IA-5 (Authenticator Management).
Deeper analysis
CVE-2024-12039 is a vulnerability in langgenius/dify version v0.10.1, specifically in the password reset mechanism, where no limits are applied to the number of code guess attempts for the six-digit reset code. This issue, classified under CWE-307 (Improper Restriction of Excessive Authentication Attempts), carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-03-20.
An unauthenticated attacker can exploit this vulnerability over the network by brute-forcing the six-digit password reset code without rate limiting or attempt restrictions. Within a few hours of guessing, the attacker can successfully reset passwords for owner, admin, or other user accounts, resulting in complete compromise of the application, including high confidentiality, integrity, and availability impacts.
The primary reference for advisories and mitigation is available at https://huntr.com/bounties/61af30d5-6055-4c6c-8a55-3fa43dada512, which details the vulnerability discovered through a bug bounty program.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7032
Vulnerability details
langgenius/dify version v0.10.1 contains a vulnerability where there are no limits applied to the number of code guess attempts for password reset. This allows an unauthenticated attacker to reset owner, admin, or other user passwords within a few hours by…
more
guessing the six-digit code, resulting in a complete compromise of the application.
- CWE(s)
AI Security AnalysisAI
- AI Category
- LLM Application Platforms
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: dify
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability lacks limits on password reset code guess attempts, enabling unauthenticated attackers to brute force the six-digit code (T1110.001: Password Guessing) and compromise user accounts.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces limits on consecutive invalid password reset code attempts, preventing brute-force guessing of the six-digit code.
Requires secure management of authenticators like password reset codes, including protection against unauthorized disclosure and brute-force through procedural controls.
Monitors system activity to identify excessive failed password reset attempts indicative of brute-force attacks.