CVE-2024-11822

Source
https://cve.org/CVERecord?id=CVE-2024-11822
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-11822.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-11822
Published
2025-03-20T10:09:14.815Z
Modified
2026-07-08T07:47:10.803568257Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Server-Side Request Forgery (SSRF) in langgenius/dify
Details

langgenius/dify version 0.9.1 contains a Server-Side Request Forgery (SSRF) vulnerability. The vulnerability exists due to improper handling of the api_endpoint parameter, allowing an attacker to make direct requests to internal network services. This can lead to unauthorized access to internal servers and potentially expose sensitive information, including access to the AWS metadata endpoint.

Database specific
{
    "cna_assigner": "@huntr_ai",
    "cwe_ids": [
        "CWE-918"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/11xxx/CVE-2024-11822.json"
}
References

Affected packages

Git / github.com/langgenius/dify

Affected ranges

Type
GIT
Repo
https://github.com/langgenius/dify
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "0.9.1"
        },
        {
            "last_affected": "0.9.1"
        }
    ],
    "cpe": "cpe:2.3:a:dify:dify:0.9.1:*:*:*:*:*:*:*",
    "source": "CPE_STRING"
}

Affected versions

0.*
0.9.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-11822.json"