CVE-2025-0185
Published: 20 March 2025
Summary
CVE-2025-0185 is a high-severity Code Injection (CWE-94) vulnerability in Dify Dify. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Data-Related Vulnerabilities risk domain.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the Pandas query injection by requiring validation and sanitization of unsanitized user inputs before execution in the Vanna module's get_training_plan_generic function.
Ensures timely remediation of the specific flaw in the langgenius/dify Vanna module through patching or updates as advised in the Huntr report.
Identifies the presence of CVE-2025-0185 via vulnerability scanning of the affected Dify Tools' Vanna module to enable proactive mitigation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Pandas Query Injection vulnerability in Dify's Vanna module enables remote code execution via unsanitized inputs, exploiting public-facing applications (T1190) and facilitating arbitrary Python command execution (T1059.006).
NVD Description
A vulnerability in the Dify Tools' Vanna module of the langgenius/dify repository allows for a Pandas Query Injection in the latest version. The vulnerability occurs in the function `vn.get_training_plan_generic(df_information_schema)`, which does not properly sanitize user inputs before executing queries using…
more
the Pandas library. This can potentially lead to Remote Code Execution (RCE) if exploited.
Deeper analysisAI
CVE-2025-0185 is a Pandas Query Injection vulnerability in the Dify Tools' Vanna module of the langgenius/dify repository, affecting the latest version. The flaw occurs in the function `vn.get_training_plan_generic(df_information_schema)`, which does not properly sanitize user inputs before executing queries via the Pandas library. Published on 2025-03-20, this issue is classified under CWE-94 (Code Injection) with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to potential remote code execution (RCE).
The vulnerability can be exploited by low-privileged remote attackers (PR:L) with network access (AV:N), requiring low attack complexity (AC:L) and no user interaction (UI:N). Exploitation involves injecting malicious queries through unsanitized inputs, enabling attackers to execute arbitrary code on the affected system and achieve high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H).
Advisories and mitigation guidance are detailed in the Huntr bounty report at https://huntr.com/bounties/7d9eb9b2-7b86-45ed-89bd-276c1350db7e.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Enterprise AI Assistants
- Risk Domain
- Data-Related Vulnerabilities
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Dify (langgenius/dify) is an open-source enterprise platform for developing LLM applications and AI assistants, with the Vanna module enabling AI-powered text-to-SQL functionality; the vulnerability in its training plan generation is AI-related.