CVE-2025-63388
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-18

Last updated on: 2025-12-19

Assigner: MITRE

Description
A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/system-features endpoint. The endpoint implements an overly permissive CORS policy that reflects arbitrary Origin headers and sets Access-Control-Allow-Credentials: true, allowing any external domain to make authenticated cross-origin requests.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-18
Last Modified
2025-12-19
Generated
2026-06-16
AI Q&A
2025-12-19
EPSS Evaluated
2026-06-14
NVD
CVE-2025-63388
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
langgenius dify 1.9.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-346 The product does not properly verify that the source of data or communication is valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability can lead to unauthorized disclosure of sensitive system configuration information due to the overly permissive CORS policy allowing authenticated cross-origin requests. Such unauthorized access to sensitive data may result in non-compliance with data protection standards and regulations like GDPR and HIPAA, which require strict controls to protect sensitive information from unauthorized access. [1]

Mitigation Strategies

Immediate mitigation steps include updating the CORS policy on the /console/api/system-features endpoint to restrict allowed origins to trusted domains only, and ensure that Access-Control-Allow-Credentials is not set to true for arbitrary origins. If possible, upgrade to a fixed version of Dify that addresses this issue or apply patches provided by the vendor. Additionally, monitor and restrict access to the vulnerable endpoint until the fix is applied. [1]

Executive Summary

CVE-2025-63388 is a Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability in Dify version 1.9.1, specifically in the /console/api/system-features endpoint. The endpoint has an overly permissive CORS policy that reflects arbitrary Origin headers and sets Access-Control-Allow-Credentials to true. This allows any external domain to make authenticated cross-origin requests, meaning a malicious website can trick an authenticated user into exposing sensitive system configuration information to an attacker. [1]

Impact Analysis

This vulnerability can lead to information disclosure. An attacker can craft a malicious website that, when visited by an authenticated user, can make cross-origin requests to the vulnerable endpoint and retrieve sensitive system configuration data without authorization. [1]

Detection Guidance

You can detect this vulnerability by testing the /console/api/system-features endpoint for CORS misconfiguration. Specifically, send HTTP requests with arbitrary Origin headers and check if the response reflects these Origin headers and includes the Access-Control-Allow-Credentials: true header. For example, using curl: curl -H "Origin: http://malicious.example.com" -I https://your-dify-instance/console/api/system-features and verify if the Access-Control-Allow-Origin header reflects the Origin value and Access-Control-Allow-Credentials is set to true. This indicates the presence of the vulnerability. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-63388. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart