CVE-2025-3466 Overview
CVE-2025-3466 affects langgenius/dify versions 1.1.0 through 1.1.2, an open-source LLM application development platform. The vulnerability resides in the code node, which fails to sanitize user-supplied JavaScript input before sandbox restrictions are applied. Attackers can override global functions such as parseInt to break out of the sandbox and execute arbitrary code with root privileges. Successful exploitation grants access to secret keys, internal network servers, and enables lateral movement within dify.ai deployments. The maintainers fixed the issue in version 1.1.3.
Critical Impact
Authenticated attackers can escape the JavaScript sandbox in the dify code node and execute arbitrary code as root, exposing secrets and enabling lateral movement.
Affected Products
- langgenius dify 1.1.0
- langgenius dify 1.1.1
- langgenius dify 1.1.2
Discovery Timeline
- 2025-07-07 - CVE-2025-3466 published to NVD
- 2025-07-10 - Last updated in NVD database
Technical Details for CVE-2025-3466
Vulnerability Analysis
The dify platform exposes a code node that lets users run JavaScript snippets as part of application workflows. The runtime invokes user-supplied code before the sandbox security layer fully isolates the execution context. This ordering flaw lets an attacker redefine built-in global functions such as parseInt so that subsequent sandbox or platform logic calls the attacker-controlled implementation. Once a host-side function consumes the overridden global, the attacker's code runs with the privileges of the dify worker process, which executes as root.
This class of weakness maps to CWE-1100, insufficient isolation of system-dependent functions. The result is a full sandbox escape that yields arbitrary code execution on the host. Attackers can read environment secrets, API keys, and database credentials. They can also pivot to internal services reachable from the dify host, enabling lateral movement across the dify.ai environment.
Root Cause
The code node initializes the JavaScript execution context without freezing or shadowing global built-ins before running untrusted code. User code can therefore reassign globals like parseInt. When the sandbox harness or supporting library later invokes that global, it executes the attacker's function in a privileged context.
Attack Vector
Exploitation requires an authenticated user with permission to define or edit a workflow containing a code node. The attacker submits JavaScript that overrides a commonly used global, then triggers the workflow. The vulnerability is exploitable over the network against any dify instance running an affected version. Refer to the Huntr bounty listing for the technical writeup.
Detection Methods for CVE-2025-3466
Indicators of Compromise
- Workflow code nodes containing reassignments of JavaScript globals such as parseInt, parseFloat, Array, or Object.prototype members.
- Unexpected outbound connections from the dify worker container to internal network ranges or metadata services.
- Process executions spawned by the dify runtime that are inconsistent with normal workflow operations, such as sh, curl, or nc.
- Access to environment files, /proc/self/environ, or secret stores from the dify worker process.
Detection Strategies
- Audit stored workflow definitions for code nodes that redefine global identifiers or wrap built-in functions.
- Monitor the dify worker process for child processes outside the expected JavaScript runtime.
- Alert on dify host egress to non-approved internal subnets, especially cloud metadata endpoints such as 169.254.169.254.
Monitoring Recommendations
- Enable verbose logging on the dify code node executor and forward logs to a central SIEM for review.
- Track authentication events for accounts with workflow edit privileges and flag bulk workflow modifications.
- Baseline normal network behavior for the dify deployment and alert on deviations indicating lateral movement.
How to Mitigate CVE-2025-3466
Immediate Actions Required
- Upgrade all dify instances to version 1.1.3 or later, which contains the official fix.
- Review workflow audit logs for code nodes created or modified between the 1.1.0 release and patch deployment.
- Rotate any secrets, API keys, and credentials accessible to the dify worker process if exploitation is suspected.
- Restrict the user roles permitted to create or edit code nodes until patching is complete.
Patch Information
The langgenius maintainers released the fix in dify 1.1.3. The remediation is published in the upstream GitHub commit. Operators running self-hosted deployments should pull the patched image or rebuild from the tagged release.
Workarounds
- Disable the code node feature in dify until the upgrade to 1.1.3 is applied.
- Place the dify worker behind strict egress filtering that blocks access to internal services and cloud metadata endpoints.
- Run the dify worker container as a non-root user and with a read-only filesystem to limit the impact of a sandbox escape.
# Upgrade dify to the patched release
git fetch --tags
git checkout 1.1.3
docker compose pull
docker compose up -d
# Verify running version
docker compose exec api python -c "import dify; print(dify.__version__)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
