2025-03-20 10:09:23
@huntr_ai
PUBLISHED
langgenius/dify version 0.10.1 contains a Server-Side Request Forgery (SSRF) vulnerability in the test functionality for the Create Custom Tool option via the REST API `POST /console/api/workspaces/current/tool-provider/api/test/pre`. Attackers can set the `url` in the `servers` dictionary in OpenAIs schema with arbitrary URL targets, allowing them to abuse the victim servers credentials to access unauthorized web resources.