CVE-2025-11750

Exploit

EPSS 0.54%
Veröffentlicht 22.10.2025 13:13:32
Zuletzt bearbeitet 30.10.2025 17:46:46
Quelle security@huntr.dev
CVE-Watchlists
Login
Unerledigt
Login

In langgenius/dify-web version 1.6.0, the authentication mechanism reveals the existence of user accounts by returning different error messages for non-existent and existing accounts. Specifically, when a login or registration attempt is made with a non-existent username or email, the system responds with a message such as "account not found." Conversely, when the username or email exists but the password is incorrect, a different error message is returned. This discrepancy allows an attacker to enumerate valid user accounts by analyzing the error responses, potentially facilitating targeted social engineering, brute force, or credential stuffing attacks.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Langgenius ≫ Dify Version1.6.0 SwPlatformnode.js

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.54%	0.668

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
security@huntr.dev	4.3	2.8	1.4	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE-544 Missing Standardized Error Handling Mechanism

The product does not use a standardized method for handling errors throughout the code, which might introduce inconsistent error handling and resultant weaknesses.

https://huntr.com/bounties/e7359f9f-c004-4304-9de9-753622d370a1

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2025-11750

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-11750

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-11750

EUVD