CVE-2025-0185
Published: 20 March 2025
Summary
CVE-2025-0185 is a high-severity Code Injection (CWE-94) vulnerability in Dify Dify. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as LLM Application Platforms; in the LLM/Generative AI Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
A vulnerability tracked as CVE-2025-0185 exists in the Dify Tools Vanna module of the langgenius/dify repository. The flaw is a Pandas Query Injection in the function vn.get_training_plan_generic(df_information_schema), which fails to sanitize user inputs before passing them to Pandas query execution and is tracked under CWE-94. The component is exposed in the latest version of the affected repository and carries a CVSS 3.1 score of 8.8.
An authenticated attacker with network access can supply crafted input that results in remote code execution, granting full control over confidentiality, integrity, and availability without user interaction. The attack vector is rated as low complexity under the CVSS metrics.
Public references consist of a huntr.com bounty entry that describes the injection path but provides no explicit patch or mitigation details in the available information. The associated EPSS score has remained low, reaching a peak of only 0.0379.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6817
Vulnerability details
A vulnerability in the Dify Tools' Vanna module of the langgenius/dify repository allows for a Pandas Query Injection in the latest version. The vulnerability occurs in the function `vn.get_training_plan_generic(df_information_schema)`, which does not properly sanitize user inputs before executing queries using…
more
the Pandas library. This can potentially lead to Remote Code Execution (RCE) if exploited.
- CWE(s)
AI Security AnalysisAI
- AI Category
- LLM Application Platforms
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: dify, pandas
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Pandas Query Injection vulnerability in Dify's Vanna module enables remote code execution via unsanitized inputs, exploiting public-facing applications (T1190) and facilitating arbitrary Python command execution (T1059.006).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the Pandas query injection by requiring validation and sanitization of unsanitized user inputs before execution in the Vanna module's get_training_plan_generic function.
Ensures timely remediation of the specific flaw in the langgenius/dify Vanna module through patching or updates as advised in the Huntr report.
Identifies the presence of CVE-2025-0185 via vulnerability scanning of the affected Dify Tools' Vanna module to enable proactive mitigation.