Cyber Resilience

CVE-2025-0185

HighPublic PoCRCE

Published: 20 March 2025

Published
20 March 2025
Modified
27 March 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0302 86.9th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0185 is a high-severity Code Injection (CWE-94) vulnerability in Dify Dify. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the LLM/Generative AI Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

A vulnerability tracked as CVE-2025-0185 exists in the Dify Tools Vanna module of the langgenius/dify repository. The flaw is a Pandas Query Injection in the function vn.get_training_plan_generic(df_information_schema), which fails to sanitize user inputs before passing them to Pandas query execution and is tracked under CWE-94. The component is exposed in the latest version of the affected repository and carries a CVSS 3.1 score of 8.8.

An authenticated attacker with network access can supply crafted input that results in remote code execution, granting full control over confidentiality, integrity, and availability without user interaction. The attack vector is rated as low complexity under the CVSS metrics.

Public references consist of a huntr.com bounty entry that describes the injection path but provides no explicit patch or mitigation details in the available information. The associated EPSS score has remained low, reaching a peak of only 0.0379.

EU & UK References

Vulnerability details

A vulnerability in the Dify Tools' Vanna module of the langgenius/dify repository allows for a Pandas Query Injection in the latest version. The vulnerability occurs in the function `vn.get_training_plan_generic(df_information_schema)`, which does not properly sanitize user inputs before executing queries using…

more

the Pandas library. This can potentially lead to Remote Code Execution (RCE) if exploited.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: dify, pandas

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
Why these techniques?

Pandas Query Injection vulnerability in Dify's Vanna module enables remote code execution via unsanitized inputs, exploiting public-facing applications (T1190) and facilitating arbitrary Python command execution (T1059.006).

CVEs Like This One

CVE-2026-41947Same product: Dify Dify
CVE-2026-41949Same product: Dify Dify
CVE-2026-41948Same product: Dify Dify
CVE-2024-11822Same product: Dify Dify
CVE-2025-53890Shared CWE-94
CVE-2026-31220Shared CWE-94
CVE-2024-57609Shared CWE-94
CVE-2026-31231Shared CWE-94
CVE-2024-10252Shared CWE-94
CVE-2025-54550Shared CWE-94

Affected Assets

dify
dify
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the Pandas query injection by requiring validation and sanitization of unsanitized user inputs before execution in the Vanna module's get_training_plan_generic function.

prevent

Ensures timely remediation of the specific flaw in the langgenius/dify Vanna module through patching or updates as advised in the Huntr report.

detect

Identifies the presence of CVE-2025-0185 via vulnerability scanning of the affected Dify Tools' Vanna module to enable proactive mitigation.

References