CVE-2025-63388
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-63388, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-12-18

Last updated on: 2025-12-19

Assigner: MITRE

Description

A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/system-features endpoint. The endpoint implements an overly permissive CORS policy that reflects arbitrary Origin headers and sets Access-Control-Allow-Credentials: true, allowing any external domain to make authenticated cross-origin requests.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-12-18
Last Modified
2025-12-19
Generated
2026-07-06
AI Q&A
2025-12-18
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
langgenius dify 1.9.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-346 The product does not properly verify that the source of data or communication is valid.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

Immediate mitigation steps include updating the CORS policy on the /console/api/system-features endpoint to restrict allowed origins to trusted domains only, and ensure that Access-Control-Allow-Credentials is not set to true for arbitrary origins. If possible, upgrade to a fixed version of Dify that addresses this issue or apply patches provided by the vendor. Additionally, monitor and restrict access to the vulnerable endpoint until the fix is applied. [1]

Executive Summary

CVE-2025-63388 is a Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability in Dify version 1.9.1, specifically in the /console/api/system-features endpoint. The endpoint has an overly permissive CORS policy that reflects arbitrary Origin headers and sets Access-Control-Allow-Credentials to true. This allows any external domain to make authenticated cross-origin requests, meaning a malicious website can trick an authenticated user into exposing sensitive system configuration information to an attacker. [1]

Impact Analysis

This vulnerability can lead to information disclosure. An attacker can craft a malicious website that, when visited by an authenticated user, can make cross-origin requests to the vulnerable endpoint and retrieve sensitive system configuration data without authorization. [1]

Detection Guidance

You can detect this vulnerability by testing the /console/api/system-features endpoint for CORS misconfiguration. Specifically, send HTTP requests with arbitrary Origin headers and check if the response reflects these Origin headers and includes the Access-Control-Allow-Credentials: true header. For example, using curl: curl -H "Origin: http://malicious.example.com" -I https://your-dify-instance/console/api/system-features and verify if the Access-Control-Allow-Origin header reflects the Origin value and Access-Control-Allow-Credentials is set to true. This indicates the presence of the vulnerability. [1]

Compliance Impact

This vulnerability can lead to unauthorized disclosure of sensitive system configuration information due to the overly permissive CORS policy allowing authenticated cross-origin requests. Such unauthorized access to sensitive data may result in non-compliance with data protection standards and regulations like GDPR and HIPAA, which require strict controls to protect sensitive information from unauthorized access. [1]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-63388. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart