CVE-2025-63388
BaseFortify
Publication date: 2025-12-18
Last updated on: 2025-12-19
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| langgenius | dify | 1.9.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-346 | The product does not properly verify that the source of data or communication is valid. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the CORS policy on the /console/api/system-features endpoint to restrict allowed origins to trusted domains only, and ensure that Access-Control-Allow-Credentials is not set to true for arbitrary origins. If possible, upgrade to a fixed version of Dify that addresses this issue or apply patches provided by the vendor. Additionally, monitor and restrict access to the vulnerable endpoint until the fix is applied. [1]
Can you explain this vulnerability to me?
CVE-2025-63388 is a Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability in Dify version 1.9.1, specifically in the /console/api/system-features endpoint. The endpoint has an overly permissive CORS policy that reflects arbitrary Origin headers and sets Access-Control-Allow-Credentials to true. This allows any external domain to make authenticated cross-origin requests, meaning a malicious website can trick an authenticated user into exposing sensitive system configuration information to an attacker. [1]
How can this vulnerability impact me? :
This vulnerability can lead to information disclosure. An attacker can craft a malicious website that, when visited by an authenticated user, can make cross-origin requests to the vulnerable endpoint and retrieve sensitive system configuration data without authorization. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by testing the /console/api/system-features endpoint for CORS misconfiguration. Specifically, send HTTP requests with arbitrary Origin headers and check if the response reflects these Origin headers and includes the Access-Control-Allow-Credentials: true header. For example, using curl: curl -H "Origin: http://malicious.example.com" -I https://your-dify-instance/console/api/system-features and verify if the Access-Control-Allow-Origin header reflects the Origin value and Access-Control-Allow-Credentials is set to true. This indicates the presence of the vulnerability. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability can lead to unauthorized disclosure of sensitive system configuration information due to the overly permissive CORS policy allowing authenticated cross-origin requests. Such unauthorized access to sensitive data may result in non-compliance with data protection standards and regulations like GDPR and HIPAA, which require strict controls to protect sensitive information from unauthorized access. [1]