Cyber Resilience

CVE-2024-12039

HighPublic PoC

Published: 20 March 2025

Published
20 March 2025
Modified
15 July 2025
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0078 74.1th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12039 is a high-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Langgenius Dify. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Password Guessing (T1110.001); ranked in the top 25.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Other ATLAS/OWASP Terms risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2024-12039 is a vulnerability in langgenius/dify version v0.10.1, specifically in the password reset mechanism, where no limits are applied to the number of code guess attempts for the six-digit reset code. This issue, classified under CWE-307 (Improper Restriction of Excessive Authentication Attempts), carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-03-20.

An unauthenticated attacker can exploit this vulnerability over the network by brute-forcing the six-digit password reset code without rate limiting or attempt restrictions. Within a few hours of guessing, the attacker can successfully reset passwords for owner, admin, or other user accounts, resulting in complete compromise of the application, including high confidentiality, integrity, and availability impacts.

The primary reference for advisories and mitigation is available at https://huntr.com/bounties/61af30d5-6055-4c6c-8a55-3fa43dada512, which details the vulnerability discovered through a bug bounty program.

EU & UK References

Vulnerability details

langgenius/dify version v0.10.1 contains a vulnerability where there are no limits applied to the number of code guess attempts for password reset. This allows an unauthenticated attacker to reset owner, admin, or other user passwords within a few hours by…

more

guessing the six-digit code, resulting in a complete compromise of the application.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Other ATLAS/OWASP Terms
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: dify

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1110.001 Password Guessing Credential Access
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
Why these techniques?

The vulnerability lacks limits on password reset code guess attempts, enabling unauthenticated attackers to brute force the six-digit code (T1110.001: Password Guessing) and compromise user accounts.

CVEs Like This One

CVE-2024-10252Same product: Langgenius Dify
CVE-2025-1796Same product: Langgenius Dify
CVE-2024-11824Same product: Langgenius Dify
CVE-2025-36363Shared CWE-307
CVE-2024-9342Shared CWE-307
CVE-2026-32292Shared CWE-307
CVE-2026-24436Shared CWE-307
CVE-2025-58587Shared CWE-307
CVE-2026-27521Shared CWE-307
CVE-2025-25595Shared CWE-307

Affected Assets

langgenius
dify
0.10.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces limits on consecutive invalid password reset code attempts, preventing brute-force guessing of the six-digit code.

prevent

Requires secure management of authenticators like password reset codes, including protection against unauthorized disclosure and brute-force through procedural controls.

detect

Monitors system activity to identify excessive failed password reset attempts indicative of brute-force attacks.

References