CVE ID: CVE-2025-63386 Date: 2025-12-18 Vendor: LangGenius (Dify) Product: Dify Affected Versions: v1.9.1 Vulnerability Type: Insecure Permissions / CORS Misconfiguration Severity: Medium (Information Disclosure)
A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/setup endpoint. The endpoint implements an insecure CORS policy that reflects any Origin header and enables Access-Control-Allow-Credentials: true, permitting arbitrary external domains to make authenticated requests.
- Component:
/console/api/setupAPI endpoint, Dify console application - Vulnerability: The application blindly reflects the
Originheader from the request in theAccess-Control-Allow-Originresponse header and setsAccess-Control-Allow-Credentialstotrue.
Attack Type: Remote
Attack Vectors: An attacker can create a malicious website that performs cross-origin requests to the vulnerable setup endpoint. When an authenticated administrator or user visits the attacker's website, the malicious page can retrieve installation and setup information due to the misconfigured CORS policy allowing arbitrary origins with credential inclusion.
Impact:
- Information Disclosure: Attackers can retrieve sensitive installation and setup information.
- Vendor Repository: https://github.com/langgenius/dify
- Discussions: https://github.com/langgenius/dify/discussions
Discovered and reported by Zhihuang Liu (herecristliu@gmail.com)