Summary
Responses from the Dify API to existing and non-existent accounts differ, allowing an attacker to enumerate email addresses registered with Dify.
Details and PoC
- Send a request with a valid email and an incorrect password:
POST /console/api/login HTTP/2
Host: dify.test
Content-Type: application/json
Content-Length: 98
{"email":"valid_email@dify.test","password":"<incorrect_password>","language":"en-US","remember_me":true}
Response from API: 401 Invalid email or password. 
2. Send a request with an invalid email and password:
POST /console/api/login HTTP/2
Host: dify.test
Content-Type: application/json
Content-Length: 98
{"email":"invalid_email@dify.testttttt","password":"<incorrect_password>","language":"en-US","remember_me":true}
Response from API: 400 Account not found. 
Impact
An attacker can brute-force their way through email addresses registered in Dify, facilitating a brute-force attack.
The mitigating factor is the account's brute-force protection, which is why it's set to low criticality.
Fix
#24323
kast3t Reporter
Summary
Responses from the Dify API to existing and non-existent accounts differ, allowing an attacker to enumerate email addresses registered with Dify.
Details and PoC
Response from API:
401 Invalid email or password.2. Send a request with an invalid email and password:
Response from API:
400 Account not found.Impact
An attacker can brute-force their way through email addresses registered in Dify, facilitating a brute-force attack.
The mitigating factor is the account's brute-force protection, which is why it's set to low criticality.
Fix
#24323