Description
langgenius/dify version v0.10.1 contains a vulnerability where there are no limits applied to the number of code guess attempts for password reset. This allows an unauthenticated attacker to reset owner, admin, or other user passwords within a few hours by guessing the six-digit code, resulting in a complete compromise of the application.
Scores
CVSS v3
8.1
EPSS
0.0078
EPSS Percentile
73.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-307
Status
published
Products (1)
langgenius/dify
0.10.1
Published
Mar 20, 2025
Tracked Since
Feb 18, 2026