dify-exploit

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The content is explicitly malicious: it provides unauthenticated exploit instructions, ready-to-run payloads and automation (curl commands, Nuclei templates) to perform SSRF that reads cloud metadata (credential theft) and a prototype-pollution deserialization RCE that executes arbitrary commands and suggests reverse shells — enabling data exfiltration, remote code execution, and full system compromise.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's workflow and templates (SKILL.md plus references and scripts/CVE-2025-56520.yaml and scripts/CVE-2025-55182.yaml) explicitly instruct sending HTTP requests to arbitrary Dify instances and parsing untrusted responses (e.g., GET /console/api/remote-files/... and checking the x-action-redirect header) which the agent must read and use to decide follow-up exploit actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill provides detailed, actionable exploit and post‑exploitation instructions (SSRF → RCE → obtain shell and lateral movement), which enable modifying target systems (and could be used against the agent's host), so it pushes the agent to compromise machine state.