CVE-2025-11750 — MEDIUM (5.3)

Vulnerability Description

In langgenius/dify-web version 1.6.0, the authentication mechanism reveals the existence of user accounts by returning different error messages for non-existent and existing accounts. Specifically, when a login or registration attempt is made with a non-existent username or email, the system responds with a message such as "account not found." Conversely, when the username or email exists but the password is incorrect, a different error message is returned. This discrepancy allows an attacker to enumerate valid user accounts by analyzing the error responses, potentially facilitating targeted social engineering, brute force, or credential stuffing attacks.

CVSS Score

5.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Langgenius	Dify	1.6.0

Related Weaknesses (CWE)

CWE-544

References

https://huntr.com/bounties/e7359f9f-c004-4304-9de9-753622d370a1ExploitThird Party Advisory
https://huntr.com/bounties/e7359f9f-c004-4304-9de9-753622d370a1ExploitThird Party Advisory

FAQ

What is CVE-2025-11750?

CVE-2025-11750 is a vulnerability with a CVSS score of 5.3 (MEDIUM). In langgenius/dify-web version 1.6.0, the authentication mechanism reveals the existence of user accounts by returning different error messages for non-existent and existing accounts. Specifically, wh...

How severe is CVE-2025-11750?

CVE-2025-11750 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-11750?

Check the references section above for vendor advisories and patch information. Affected products include: Langgenius Dify.