Description

A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/setup endpoint. The endpoint implements an insecure CORS policy that reflects any Origin header and enables Access-Control-Allow-Credentials: true, permitting arbitrary external domains to make authenticated requests. NOTE: the Supplier disputes this because the endpoint configuration is intentional to support bootstrap.

INFO

Published Date :

2025-12-18T00:00:00.000Z

Last Modified :

2026-02-11T14:09:22.325Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2025-63386 vulnerability.

Vendors Products
Dify
  • Dify
Langgenius
  • Dify
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-63386.

URL Resource
https://gist.github.com/Cristliu/1610daac87c711ac3e0250c58f5cc4f9 cve-icon cve-icon
https://gist.github.com/Cristliu/8ad993126be05c9210c71cc7d49fa112 cve-icon cve-icon
https://github.com/langgenius/dify/discussions cve-icon cve-icon
https://github.com/langgenius/dify/pull/32224 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact