Dify User Enumeration Vulnerability

A user enumeration vulnerability exists in Dify, an open-source LLM app development platform, in versions prior to 1.9.0. The issue arises because the Dify API responses differ for existing and non-existent accounts. This discrepancy allows attackers to identify registered email addresses. The vulnerability can be exploited by sending login requests with valid and invalid emails, noting the different error messages returned.

Impact

Exploitation of this vulnerability allows for email enumeration, where an attacker can determine which email addresses are registered with Dify. This information could be used for targeted phishing attacks or to conduct brute-force attempts on known accounts.

Reproduction

To reproduce this vulnerability, send a login request to the Dify API's login endpoint with a valid email address and an incorrect password. The response will indicate that the email or password is invalid. Next, send a request with an invalid email address and an incorrect password. The response will confirm that the account was not found. The difference in responses can be used to enumerate registered email addresses.

Remediation

Users can update to Dify version 1.9.0 or later, where this vulnerability has been fixed.