Primary

Context

Dify Server-Side Request Forgery Vulnerability in Remote File Upload API

Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in Dify version 1.6.0. The issue arises in the Remote File Upload API component, where unauthorized users can send requests to external URLs. This vulnerability allows for outbound requests to be made without proper authentication, potentially leading to unauthorized access or data exposure.

Impact

Exploitation of this vulnerability allows for unauthorized external requests to be made from the Dify application, which could be used to access internal services or data.

Reproduction

The vulnerability can be reproduced by sending a request to the Remote File Upload API with a URL parameter. The API will then make an outbound request to the specified URL. This behavior has been confirmed on the cloud version of Dify.

Remediation

It is recommended to implement authentication for the Remote File Upload API to prevent unauthorized access.

Added: Sep 30, 2025, 5:17 PM

Updated: Sep 30, 2025, 5:17 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

6.0

remediation

0.0

relevance

0.6

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

6.0

remediation

0.0

relevance

0.6

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Dify Server-Side Request Forgery Vulnerability in Remote File Upload API

Vulnerability

Impact

Reproduction

Remediation

Affected Products

langgenius Dify

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating