Description

A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/system-features endpoint. The endpoint implements an overly permissive CORS policy that reflects arbitrary Origin headers and sets Access-Control-Allow-Credentials: true, allowing any external domain to make authenticated cross-origin requests. NOTE: the Supplier disputes this, providing the rationale of "sending requests with credentials does not provide any additional access compared to unauthenticated requests."

INFO

Published Date :

2025-12-18T00:00:00.000Z

Last Modified :

2026-01-28T16:07:53.494Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2025-63388 vulnerability.

Vendors Products
Dify
  • Dify
Langgenius
  • Dify
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-63388.

URL Resource
https://gist.github.com/Cristliu/5ded6d03e41d7d66ecb1b568bae3ff6c cve-icon cve-icon
https://gist.github.com/Cristliu/c2bc7d05abd89db8eb542a453a528d77 cve-icon cve-icon
https://github.com/langgenius/dify/discussions cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact