CVE-2024-10252

Name of the Vulnerable Software and Affected Versions langgenius/dify versions <=v0.9.1

Description A vulnerability in the Dify sandbox service allows for code injection via internal SSRF requests. This enables an attacker to execute arbitrary Python code with root privileges within the sandbox environment, potentially leading to the deletion of the entire sandbox service and causing irreversible damage.

Recommendations For versions <=v0.9.1, update to a version that contains a fix for this issue, as using a version prior to or equal to v0.9.1 poses a significant risk. As a temporary workaround, consider restricting access to the Dify sandbox service to minimize the risk of exploitation.