One Simple Mistake, Thousands at Risk (medium.com)

Security researcher analysis of the popular open-source AI platform Dify shows that simple, widespread misconfigurations — not novel code bugs — can expose thousands of deployments to data theft, internal network scanning, and remote code execution. Dify ships with static, well-known defaults (e.g., Postgres user default password difyai123456) and several services are often exposed by default in docker-compose setups. In tests, ~70% of sampled DBs still used the default password and ~90% of sampled instances had an SSRF proxy (Squid) misconfigured. About 25K Dify servers were discoverable in a quick scan, and the platform is used by many large enterprises. Technically, attackers can exploit the plugin-daemon (HTTP port 5002, TCP 5003) by uploading a malicious plugin package via /plugin/:tenant_id/management/install/upload/package (packages can be signed using the official dify-plugin dev tool) and triggering installation at /plugin/:tenant_id/management/install/identifiers, leading to arbitrary code execution if SERVER_KEY/X-Api-Key remains default. Separately, the ssrf-proxy’s /api/remote-files/upload allows unauthenticated users with an “anonymous” key to fetch internal HTTP resources (GET-only, no custom headers), turning Dify into a scanning proxy to find internal apps (Grafana, GitLab, etc.). Mitigations: restrict public exposure (ideally only nginx), rotate default secrets (DB_PASSWORD, REDIS_PASSWORD, PLUGIN_DAEMON_KEY, INNER_API_KEY_FOR_PLUGIN), and correctly configure the ssrf_proxy/Squid rules.