9.1

CVE-2025-63386

A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/setup endpoint. The endpoint implements an insecure CORS policy that reflects any Origin header and enables Access-Control-Allow-Credentials: true, permitting arbitrary external domains to make authenticated requests. NOTE: the Supplier disputes this because the endpoint configuration is intentional to support bootstrap.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LanggeniusDify Version1.9.1 SwPlatformnode.js
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.21% 0.113
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.1 3.9 5.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.1 3.9 5.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE-346 Origin Validation Error

The product does not properly verify that the source of data or communication is valid.

https://github.com/langgenius/dify/discussions
Issue Tracking
https://gist.github.com/Cristliu/1610daac87c711ac3e0250c58f5cc4f9
Third Party Advisory
https://gist.github.com/Cristliu/8ad993126be05c9210c71cc7d49fa112
https://github.com/langgenius/dify/pull/32224