CVE-2024-12039
HIGHDify v0.10.1 - Unauthenticated Password Reset Code Brute-Force
Title source: llmDescription
langgenius/dify version v0.10.1 contains a vulnerability where there are no limits applied to the number of code guess attempts for password reset. This allows an unauthenticated attacker to reset owner, admin, or other user passwords within a few hours by guessing the six-digit code, resulting in a complete compromise of the application.
References (1)
Core 1
Core References
Exploit, Third Party Advisory
https://huntr.com/bounties/61af30d5-6055-4c6c-8a55-3fa43dada512
Scores
CVSS v3
8.1
EPSS
0.0059
EPSS Percentile
43.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-307
Status
published
Products (1)
langgenius/dify
0.10.1
Published
Mar 20, 2025
Tracked Since
Feb 18, 2026