6.3

CVE-2025-32790

Exploit

Dify Allows Insecure User Role Access Control for APP DSL Exporting

Dify is an open-source LLM app development platform. In versions 0.6.8 and prior, a vulnerability was identified in the DIFY AI where normal users are improperly granted permissions to export APP DSL. The feature in '/export' should only allow administrator users to export DSL. A workaround for this vulnerability involves updating the access control mechanisms to enforce stricter user role permissions and implementing role-based access controls (RBAC) to ensure that only users with admin privileges can export the APP DSL. This vulnerability is fixed in 0.6.13.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LanggeniusDify SwPlatformnode.js Version < 0.6.13
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.26% 0.168
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.3 2.8 1.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
security-advisories@github.com 6.3 2.8 3.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

https://github.com/langgenius/dify/security/advisories/GHSA-jp6m-v4gw-5vgp
Vendor Advisory
Exploit
Mitigation
https://github.com/langgenius/dify/pull/5841
Vendor Advisory
Issue Tracking
https://github.com/langgenius/dify/commit/59ad091e69736bc9dc1a3bace62ec0a232346246
Patch