Skip to main content
CVE Vulnerability Database

CVE-2025-0185: Dify Dify Pandas Query Injection RCE Flaw

CVE-2025-0185 is a Pandas query injection vulnerability in Dify Dify's Vanna module that can lead to remote code execution. This post covers the technical details, affected versions, security impact, and mitigation steps.

Published:

CVE-2025-0185 Overview

CVE-2025-0185 is a Pandas Query Injection vulnerability in the Vanna module of the Dify Tools component within the langgenius/dify repository. The flaw resides in the vn.get_training_plan_generic(df_information_schema) function, which fails to sanitize user-supplied input before passing it to Pandas query operations. An authenticated attacker with low privileges can inject crafted expressions that the Pandas engine evaluates, leading to potential Remote Code Execution (RCE) on the host running Dify. The vulnerability is tracked under CWE-94: Improper Control of Generation of Code.

Critical Impact

Successful exploitation enables Remote Code Execution against Dify instances over the network, compromising confidentiality, integrity, and availability of the affected system.

Affected Products

  • langgenius/dify repository — latest version at time of disclosure
  • Dify Tools Vanna module
  • Deployments exposing the Vanna training plan functionality

Discovery Timeline

  • 2025-03-20 - CVE-2025-0185 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-0185

Vulnerability Analysis

The Vanna integration in Dify provides natural language to SQL capabilities backed by Pandas DataFrame operations. The function vn.get_training_plan_generic(df_information_schema) accepts a DataFrame derived from user-controlled data and processes it through Pandas query interfaces. Pandas query and eval methods compile expressions in a way that can resolve Python attributes and invoke callable objects when input is not strictly validated. Attackers craft DataFrame contents or query strings that traverse object references to reach os.system, subprocess, or equivalent execution primitives. The result is arbitrary command execution in the context of the Dify process.

Root Cause

The root cause is missing input sanitization on values that flow into Pandas expression evaluation. Dify trusts the df_information_schema payload and passes attacker-influenced content directly into the Vanna training plan logic. Because Pandas expression engines resolve Python objects during evaluation, any unsanitized expression becomes executable code. This pattern aligns with [CWE-94] code injection.

Attack Vector

The attack vector is network-based and requires low privileges with no user interaction. An authenticated user submits crafted schema content or query parameters to the Vanna tool endpoint. Dify forwards the payload to get_training_plan_generic, where Pandas evaluates the injected expression. The injected code executes with the privileges of the Dify worker process.

No verified public proof-of-concept code is available. Technical details are documented in the Huntr Security Bounty report.

Detection Methods for CVE-2025-0185

Indicators of Compromise

  • Unexpected child processes spawned by the Dify Python worker, particularly shells (sh, bash) or interpreters (python, perl).
  • Outbound network connections from the Dify container to attacker-controlled infrastructure following Vanna tool invocations.
  • Anomalous Pandas query strings containing attribute traversal patterns such as __class__, __mro__, or __subclasses__ in application logs.

Detection Strategies

  • Monitor Dify application logs for invocations of get_training_plan_generic containing non-standard schema characters or Python dunder attributes.
  • Apply process lineage detection to flag the Dify worker spawning command interpreters or network utilities.
  • Correlate Vanna tool API calls with subsequent filesystem writes or outbound connections from the same process.

Monitoring Recommendations

  • Enable verbose audit logging for all Dify Tools endpoints and forward to a centralized analytics platform.
  • Baseline normal Pandas query patterns and alert on deviations, especially expressions that reference Python internals.
  • Track authentication events and rate-limit users invoking the Vanna module to surface abuse patterns.

How to Mitigate CVE-2025-0185

Immediate Actions Required

  • Disable the Vanna tool in Dify until a patched version is deployed if the feature is not business-critical.
  • Restrict access to Dify Tools endpoints through network ACLs and authenticated reverse proxies.
  • Audit existing Dify user accounts and revoke unused or shared credentials that could be leveraged by an attacker.

Patch Information

At the time of publication, no vendor advisory URL is listed in the NVD record. Monitor the langgenius/dify GitHub repository and the Huntr disclosure for the official fix and upgrade to the patched release as soon as it becomes available.

Workarounds

  • Run Dify inside a hardened container with a read-only filesystem and a non-root user to limit RCE impact.
  • Apply egress filtering on the Dify host or pod to block outbound traffic to untrusted destinations.
  • Enforce strict input validation at the reverse proxy layer to reject payloads containing Python dunder attributes or shell metacharacters before they reach the Vanna module.
bash
# Example: restrict Dify container egress with iptables
iptables -A OUTPUT -m owner --uid-owner dify -d 10.0.0.0/8 -j ACCEPT
iptables -A OUTPUT -m owner --uid-owner dify -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.