CVE-2025-63386
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-18

Last updated on: 2026-02-11

Assigner: MITRE

Description
A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/setup endpoint. The endpoint implements an insecure CORS policy that reflects any Origin header and enables Access-Control-Allow-Credentials: true, permitting arbitrary external domains to make authenticated requests. NOTE: the Supplier disputes this because the endpoint configuration is intentional to support bootstrap.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-18
Last Modified
2026-02-11
Generated
2026-06-16
AI Q&A
2025-12-18
EPSS Evaluated
2026-06-15
NVD
CVE-2025-63386
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
langgenius dify 1.9.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-346 The product does not properly verify that the source of data or communication is valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Cross-Origin Resource Sharing (CORS) misconfiguration in Dify version 1.9.1 at the /console/api/setup endpoint. The endpoint insecurely reflects the Origin header from incoming requests into the Access-Control-Allow-Origin response header without validation and sets Access-Control-Allow-Credentials to true. This allows any external domain to make authenticated cross-origin requests to the endpoint, enabling an attacker to perform actions or retrieve sensitive setup information by tricking an authenticated user into visiting a malicious website. [1]

Impact Analysis

The vulnerability can lead to information disclosure by allowing attackers to access confidential installation and setup data remotely. An attacker can exploit this by hosting a malicious website that makes authenticated cross-origin requests on behalf of an authenticated user, potentially exposing sensitive configuration information. [1]

Detection Guidance

You can detect this vulnerability by sending a request to the /console/api/setup endpoint with a custom Origin header and inspecting the response headers. If the Access-Control-Allow-Origin header reflects the Origin you sent and Access-Control-Allow-Credentials is set to true, the system is vulnerable. For example, use curl to test: curl -i -H "Origin: http://malicious.example.com" https://your-dify-instance/console/api/setup and check if the response includes Access-Control-Allow-Origin: http://malicious.example.com and Access-Control-Allow-Credentials: true. [1]

Mitigation Strategies

Immediate mitigation steps include restricting the Access-Control-Allow-Origin header to only trusted domains instead of reflecting any Origin header, and disabling Access-Control-Allow-Credentials unless absolutely necessary. Applying any available patches or updates from the vendor that address this CORS misconfiguration is also recommended. [1]

Compliance Impact

The vulnerability allows attackers to perform authenticated cross-origin requests and access sensitive installation and setup information, leading to potential information disclosure. This could result in unauthorized access to confidential data, which may violate data protection requirements under standards like GDPR and HIPAA that mandate safeguarding personal and sensitive information against unauthorized access. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-63386. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart