VYPR
Unrated severityNVD Advisory· Published Mar 20, 2025· Updated Mar 20, 2025

Pandas Query Injection in langgenius/dify

CVE-2025-0185

Description

A vulnerability in the Dify Tools' Vanna module of the langgenius/dify repository allows for a Pandas Query Injection in the latest version. The vulnerability occurs in the function vn.get_training_plan_generic(df_information_schema), which does not properly sanitize user inputs before executing queries using the Pandas library. This can potentially lead to Remote Code Execution (RCE) if exploited.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Langgenius/Difyllm-fuzzy
    Range: latest
  • langgenius/langgenius/difyv5
    Range: unspecified

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.