Dify web security vulnerability - Please fix it promptly, the new version is also ineffective

Design Version 1.10.0, 1.10.1

Incident Details
Alert Reason: This web service created an unusual child process.

Command Line: /bin/sh -c echo caonima

Process Path: /bin/busybox

Process ID: 2490645

Parent Process Command Line: next-server (v15.5.6)

Parent Process File Path: /usr/local/bin/node

Parent Process ID: 2143985

Process Chain:

• [2143472] /usr/bin/containerd-shim-runc-v2 -namespace moby -id cd1c1d264970b347204c6a7ed49116dcba163949d9572f6c4042d8415c01b73f -address /run/containerd/containerd.sock
• [2143557] /bin/sh ./entrypoint.sh
• [2143725] node /pnpm/global/5/.pnpm/pm2@6.0.14/node_modules/pm2/bin/pm2 start /app/web/server.js --name dify-web --cwd /app/web -i 2 --no-daemon
• [2143985] next-server (v15.5.6)

Container Name: docker-web-1

Container ID: cd1c1d264970b347204c6a7ed49116dcba163949d9572f6c4042d8415c01b73f

Image ID: langgenius/dify-web@sha256:832b9cc053b7f24082fb5da45a766d6e3ad20805215755ef7b4616906c7d54f4

Image Name: langgenius/dify-web:1.10.1

Container Hostname: cd1c1d264970

Container Perspective Process Path: /proc/2143557/root/bin/busybox

Tip: Suspicious child process detected created by the web application.

Description: A suspicious child process created by the web application has been detected. This could be caused by an attacker exploiting a vulnerability in the web application to execute commands, or it could be a false positive due to the program’s normal behavior. It is recommended to further assess the authenticity of the alert based on actual circumstances.

Same question here. After upgrading to 1.10.1 yesterday, I found today that the vulnerability still exists, and the Next.js version hasn’t changed. Did I miss something in the upgrade configuration?

I just saw that there’s a new version on GitHub; you can upgrade and try again.

Isn’t the latest version 1.10.1? I’m using this version.