CVE-2025-11750
BaseFortify
Publication date: 2025-10-22
Last updated on: 2025-10-30
Assigner: huntr.dev
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| langgenius | dify | 1.6.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-544 | The product does not use a standardized method for handling errors throughout the code, which might introduce inconsistent error handling and resultant weaknesses. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in langgenius/dify-web version 1.6.0 occurs because the authentication mechanism returns different error messages depending on whether a user account exists or not. When a login or registration attempt is made with a non-existent username or email, the system responds with an "account not found" message. If the username or email exists but the password is incorrect, a different error message is shown. This difference in responses allows an attacker to determine which user accounts are valid by analyzing the error messages, enabling user enumeration.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing attackers to enumerate valid user accounts on your system. This information can be used to facilitate targeted social engineering attacks, brute force attempts, or credential stuffing attacks, potentially leading to unauthorized access or compromise of user accounts.