Skip to content

Instantly share code, notes, and snippets.

@Cristliu

Cristliu/CVE-2025-63387-Disclosure.md

Created December 18, 2025 07:26
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save Cristliu/cddc0cbbf354de51106ab63a11be94af to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save Cristliu/cddc0cbbf354de51106ab63a11be94af to your computer and use it in GitHub Desktop.
Download ZIP
CVE-2025-63387 Security Advisory - Unauthenticated Access in Dify
Raw
CVE-2025-63387-Disclosure.md

Security Advisory: CVE-2025-63387 - Unauthenticated Access to System Features in Dify

CVE ID: CVE-2025-63387 Date: 2025-12-18 Vendor: LangGenius (Dify) Product: Dify Affected Versions: v1.9.1 Vulnerability Type: Insecure Permissions / Authentication Bypass Severity: Medium (Information Disclosure)

Summary

Dify v1.9.1 is vulnerable to Insecure Permissions. An unauthenticated attacker can directly send HTTP GET requests to the /console/api/system-features endpoint without any authentication credentials or session tokens. The endpoint fails to implement proper authorization checks, allowing anonymous access to sensitive system configuration data.

Vulnerability Details

  • Component: /console/api/system-features API endpoint, authentication middleware
  • Vulnerability: Lack of authentication checks on the API endpoint.

Attack Vector & Impact

Attack Type: Remote

Attack Vectors: An unauthenticated attacker can directly send HTTP GET requests to the /console/api/system-features endpoint without any authentication credentials or session tokens. The endpoint fails to implement proper authorization checks, allowing anonymous access to sensitive system configuration data.

Impact:

  • Information Disclosure: Exposure of sensitive system configuration data to unauthorized users.

References

Credits

Discovered and reported by Zhihuang Liu (herecristliu@gmail.com)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment