CVE-2024-12775 — UNKNOWN AI Security Vulnerability

CISO Take

An authenticated Dify console user can forge server-side requests to arbitrary URLs—including cloud metadata endpoints (AWS IMDS, GCP)—by manipulating the OpenAPI schema URL field in the Custom Tool test feature. If your Dify instance runs in a cloud environment or has network access to internal services, treat this as high priority regardless of the missing CVSS score. Upgrade immediately and enforce egress filtering blocking RFC-1918 ranges and cloud metadata IPs (169.254.169.254).

Risk Assessment

Effective risk is HIGH for cloud-hosted or internally-networked Dify deployments despite the unknown CVSS. Authentication is required (console access), which limits the attacker surface—but insider threats, compromised accounts, or multi-tenant deployments where untrusted users have console access make this very exploitable. SSRF to cloud metadata endpoints is a well-documented path to IAM credential theft and full cloud account takeover. Single-tenant, air-gapped deployments face lower risk.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
dify	—	—	No patch

Do you use dify? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

0.3%

chance of exploitation in 30 days

Higher than 51% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Recommended Action

6 steps

Upgrade Dify beyond 0.10.1—monitor the official repo for the patch release.
Block egress from the Dify host to: 169.254.169.254 (cloud metadata), 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 (internal ranges).
Apply least-privilege IAM policies to the Dify host identity—assume credentials can be exfiltrated.
Audit console access: restrict who can create or test Custom Tools.
Enable outbound HTTP monitoring/logging on the Dify host and alert on requests to metadata endpoints or unexpected internal destinations.
If you cannot patch immediately, disable Custom Tool creation in Dify settings or restrict via WAF rules on POST /console/api/workspaces/current/tool-provider/api/test/pre.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Auth Bypass Framework API Agent AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0075 - Cloud Service Discovery AML.T0083 - Credentials from AI Agent Configuration AML.T0098 - AI Agent Tool Credential Harvesting

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - Security of AI system inputs

NIST AI RMF

MANAGE 2.2 - Mechanisms to detect unintended AI system behavior

OWASP LLM Top 10

LLM07:2023 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2024-12775?

An authenticated Dify console user can forge server-side requests to arbitrary URLs—including cloud metadata endpoints (AWS IMDS, GCP)—by manipulating the OpenAPI schema URL field in the Custom Tool test feature. If your Dify instance runs in a cloud environment or has network access to internal services, treat this as high priority regardless of the missing CVSS score. Upgrade immediately and enforce egress filtering blocking RFC-1918 ranges and cloud metadata IPs (169.254.169.254).

Is CVE-2024-12775 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-12775, increasing the risk of exploitation.

How to fix CVE-2024-12775?

1. Upgrade Dify beyond 0.10.1—monitor the official repo for the patch release. 2. Block egress from the Dify host to: 169.254.169.254 (cloud metadata), 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 (internal ranges). 3. Apply least-privilege IAM policies to the Dify host identity—assume credentials can be exfiltrated. 4. Audit console access: restrict who can create or test Custom Tools. 5. Enable outbound HTTP monitoring/logging on the Dify host and alert on requests to metadata endpoints or unexpected internal destinations. 6. If you cannot patch immediately, disable Custom Tool creation in Dify settings or restrict via WAF rules on POST /console/api/workspaces/current/tool-provider/api/test/pre.

What systems are affected by CVE-2024-12775?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM application platforms, cloud-hosted AI services, API integrations, multi-tenant AI workspaces.

What is the CVSS score for CVE-2024-12775?

No CVSS score has been assigned yet.

Technical Details

NVD Description

langgenius/dify version 0.10.1 contains a Server-Side Request Forgery (SSRF) vulnerability in the test functionality for the Create Custom Tool option via the REST API `POST /console/api/workspaces/current/tool-provider/api/test/pre`. Attackers can set the `url` in the `servers` dictionary in OpenAI's schema with arbitrary URL targets, allowing them to abuse the victim server's credentials to access unauthorized web resources.

Exploitation Scenario

An attacker with Dify console access (compromised employee, insider, or legitimate user in a multi-tenant setup) opens the Custom Tool creation UI. They craft a minimal OpenAPI schema with `servers[{url: 'http://169.254.169.254/latest/meta-data/iam/security-credentials/'}]` and trigger the test endpoint. Dify's backend makes a GET request to the AWS metadata service using the EC2 instance's IAM role, and the response—containing temporary AWS access keys—is returned to the attacker. The attacker then uses these credentials to access S3 buckets, enumerate infrastructure, or escalate privileges in the AWS account. The entire attack chain takes under 5 minutes and requires no AI/ML knowledge.