Dify Stored Cross-Site Scripting Vulnerability via SVG File Upload

A stored cross-site scripting vulnerability has been identified in Dify, an open-source platform for developing applications with large language models. This issue affects versions prior to 1.13.1. The vulnerability arises from the ability of any unauthenticated user to upload an SVG file containing malicious scripts through the `POST /api/files/upload` endpoint. Although this endpoint does not require authentication, the `POST /v1/files/upload` method, which is authenticated, is also susceptible to the same issue. Once uploaded, the SVG file can execute scripts when accessed, leading to session theft or performing actions on behalf of the user.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where uploaded SVG files can execute scripts when accessed, potentially leading to session theft or actions being performed on behalf of the user.

Reproduction

To reproduce this vulnerability, upload an SVG file containing a script tag through the `POST /api/files/upload` endpoint without authentication. Alternatively, use the `POST /v1/files/upload` method with an application API key, as this endpoint also allows for the upload of malicious SVG files.

Remediation

Users can upgrade to Dify version 1.13.1 or later to address this vulnerability.