CVE ID: CVE-2025-63388 Date: 2025-12-18 Vendor: LangGenius (Dify) Product: Dify Affected Versions: v1.9.1 Vulnerability Type: Insecure Permissions / CORS Misconfiguration Severity: Medium (Information Disclosure)
A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/system-features endpoint. The endpoint implements an overly permissive CORS policy that reflects arbitrary Origin headers and sets Access-Control-Allow-Credentials: true, allowing any external domain to make authenticated cross-origin requests.
- Component:
/console/api/system-featuresAPI endpoint, Dify console application - Vulnerability: Insecure CORS configuration allowing arbitrary origins with credentials.
Attack Type: Remote
Attack Vectors: An attacker can craft a malicious website that makes cross-origin requests to the vulnerable endpoint. When an authenticated user visits the attacker's website, the malicious page can retrieve sensitive system configuration information due to misconfigured CORS policy that allows access from arbitrary origins with credentials.
Impact:
- Information Disclosure: Attackers can retrieve sensitive system configuration information.
- Vendor Repository: https://github.com/langgenius/dify
- Discussions: https://github.com/langgenius/dify/discussions
Discovered and reported by Zhihuang Liu (herecristliu@gmail.com)