CVE-2024-12039
Published: 20 March 2025
Summary
CVE-2024-12039 is a high-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Langgenius Dify. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Password Guessing (T1110.001); ranked in the top 26.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Other ATLAS/OWASP Terms risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly enforces limits on consecutive invalid password reset code attempts, preventing brute-force guessing of the six-digit code.
Requires secure management of authenticators like password reset codes, including protection against unauthorized disclosure and brute-force through procedural controls.
Monitors system activity to identify excessive failed password reset attempts indicative of brute-force attacks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability lacks limits on password reset code guess attempts, enabling unauthenticated attackers to brute force the six-digit code (T1110.001: Password Guessing) and compromise user accounts.
NVD Description
langgenius/dify version v0.10.1 contains a vulnerability where there are no limits applied to the number of code guess attempts for password reset. This allows an unauthenticated attacker to reset owner, admin, or other user passwords within a few hours by…
more
guessing the six-digit code, resulting in a complete compromise of the application.
Deeper analysisAI
CVE-2024-12039 is a vulnerability in langgenius/dify version v0.10.1, specifically in the password reset mechanism, where no limits are applied to the number of code guess attempts for the six-digit reset code. This issue, classified under CWE-307 (Improper Restriction of Excessive Authentication Attempts), carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-03-20.
An unauthenticated attacker can exploit this vulnerability over the network by brute-forcing the six-digit password reset code without rate limiting or attempt restrictions. Within a few hours of guessing, the attacker can successfully reset passwords for owner, admin, or other user accounts, resulting in complete compromise of the application, including high confidentiality, integrity, and availability impacts.
The primary reference for advisories and mitigation is available at https://huntr.com/bounties/61af30d5-6055-4c6c-8a55-3fa43dada512, which details the vulnerability discovered through a bug bounty program.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Enterprise AI Assistants
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Dify (langgenius/dify) is an open-source platform for building and deploying AI applications, including LLM-based agents and assistants, fitting the Enterprise AI Assistants category. The vulnerability is in this AI platform, confirmed via AI/ML bug bounty advisory.