AI Threat Alert

CVE-2024-12775: Dify: SSRF via custom tool URL enables credential theft

UNKNOWN PoC AVAILABLE CISA: TRACK*
Published March 20, 2025
CISO Take

An authenticated Dify console user can forge server-side requests to arbitrary URLs—including cloud metadata endpoints (AWS IMDS, GCP)—by manipulating the OpenAPI schema URL field in the Custom Tool test feature. If your Dify instance runs in a cloud environment or has network access to internal services, treat this as high priority regardless of the missing CVSS score. Upgrade immediately and enforce egress filtering blocking RFC-1918 ranges and cloud metadata IPs (169.254.169.254).

What is the risk?

Effective risk is HIGH for cloud-hosted or internally-networked Dify deployments despite the unknown CVSS. Authentication is required (console access), which limits the attacker surface—but insider threats, compromised accounts, or multi-tenant deployments where untrusted users have console access make this very exploitable. SSRF to cloud metadata endpoints is a well-documented path to IAM credential theft and full cloud account takeover. Single-tenant, air-gapped deployments face lower risk.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
dify No patch

Do you use dify? You're affected.

How severe is it?

CVSS 3.1
N/A
EPSS
0.6%
chance of exploitation in 30 days
Higher than 45% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What should I do?

6 steps

  1. Upgrade Dify beyond 0.10.1—monitor the official repo for the patch release.

  2. Block egress from the Dify host to: 169.254.169.254 (cloud metadata), 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 (internal ranges).

  3. Apply least-privilege IAM policies to the Dify host identity—assume credentials can be exfiltrated.

  4. Audit console access: restrict who can create or test Custom Tools.

  5. Enable outbound HTTP monitoring/logging on the Dify host and alert on requests to metadata endpoints or unexpected internal destinations.

  6. If you cannot patch immediately, disable Custom Tool creation in Dify settings or restrict via WAF rules on POST /console/api/workspaces/current/tool-provider/api/test/pre.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Auth Bypass Framework API Agent AML.T0049 AML.T0053 AML.T0075 AML.T0083 AML.T0098

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.6 - Security of AI system inputs
NIST AI RMF
MANAGE 2.2 - Mechanisms to detect unintended AI system behavior
OWASP LLM Top 10
LLM07:2023 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2024-12775?

An authenticated Dify console user can forge server-side requests to arbitrary URLs—including cloud metadata endpoints (AWS IMDS, GCP)—by manipulating the OpenAPI schema URL field in the Custom Tool test feature. If your Dify instance runs in a cloud environment or has network access to internal services, treat this as high priority regardless of the missing CVSS score. Upgrade immediately and enforce egress filtering blocking RFC-1918 ranges and cloud metadata IPs (169.254.169.254).

Is CVE-2024-12775 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-12775, increasing the risk of exploitation.

How to fix CVE-2024-12775?

1. Upgrade Dify beyond 0.10.1—monitor the official repo for the patch release. 2. Block egress from the Dify host to: 169.254.169.254 (cloud metadata), 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 (internal ranges). 3. Apply least-privilege IAM policies to the Dify host identity—assume credentials can be exfiltrated. 4. Audit console access: restrict who can create or test Custom Tools. 5. Enable outbound HTTP monitoring/logging on the Dify host and alert on requests to metadata endpoints or unexpected internal destinations. 6. If you cannot patch immediately, disable Custom Tool creation in Dify settings or restrict via WAF rules on POST /console/api/workspaces/current/tool-provider/api/test/pre.

What systems are affected by CVE-2024-12775?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM application platforms, cloud-hosted AI services, API integrations, multi-tenant AI workspaces.

What is the CVSS score for CVE-2024-12775?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksLLM application platformscloud-hosted AI servicesAPI integrationsmulti-tenant AI workspaces

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application
AML.T0053 AI Agent Tool Invocation
AML.T0075 Cloud Service Discovery
AML.T0083 Credentials from AI Agent Configuration
AML.T0098 AI Agent Tool Credential Harvesting

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2.6
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM07:2023

What are the technical details?

Original Advisory

langgenius/dify version 0.10.1 contains a Server-Side Request Forgery (SSRF) vulnerability in the test functionality for the Create Custom Tool option via the REST API `POST /console/api/workspaces/current/tool-provider/api/test/pre`. Attackers can set the `url` in the `servers` dictionary in OpenAI's schema with arbitrary URL targets, allowing them to abuse the victim server's credentials to access unauthorized web resources.

Exploitation Scenario

An attacker with Dify console access (compromised employee, insider, or legitimate user in a multi-tenant setup) opens the Custom Tool creation UI. They craft a minimal OpenAPI schema with `servers[{url: 'http://169.254.169.254/latest/meta-data/iam/security-credentials/'}]` and trigger the test endpoint. Dify's backend makes a GET request to the AWS metadata service using the EC2 instance's IAM role, and the response—containing temporary AWS access keys—is returned to the attacker. The attacker then uses these credentials to access S3 buckets, enumerate infrastructure, or escalate privileges in the AWS account. The entire attack chain takes under 5 minutes and requires no AI/ML knowledge.

Weaknesses (CWE)

CWE-918 Server-Side Request Forgery (SSRF)

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.

References

Timeline

Published
March 20, 2025
Last Modified
July 14, 2025
First Seen
March 20, 2025

Related Vulnerabilities

CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same attack type: Data Extraction
CRITICAL CVE-2025-53767 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

Same attack type: Data Extraction
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Data Extraction
CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same attack type: Data Extraction
CRITICAL GHSA-vvpj-8cmc-gx39 10.0

picklescan: security flaw enables exploitation

Same attack type: Auth Bypass
Back to Threat Feed