CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-12039: Improper Restriction of Excessive Authentication Attempts in langgenius/dify

7.4 CVSS

Description

langgenius/dify version v0.10.1 contains a vulnerability where there are no limits applied to the number of code guess attempts for password reset. This allows an unauthenticated attacker to reset owner, admin, or other user passwords within a few hours by guessing the six-digit code, resulting in a complete compromise of the application.

Classification

CVE ID: CVE-2024-12039

CVSS Base Severity: HIGH

CVSS Base Score: 7.4

CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Problem Types

CWE-307 Improper Restriction of Excessive Authentication Attempts

Affected Products

Vendor: langgenius

Product: langgenius/dify

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 7.52% (scored less or equal to compared to others)

EPSS Date: 2025-04-18 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2024-12039
https://huntr.com/bounties/61af30d5-6055-4c6c-8a55-3fa43dada512

Timeline

2025-03-20 11:40:25 UTC
CVE

Improper Restriction of Excessive Authentication Attempts in langgenius/dify