Vulnerability Description
DIFY is an open-source LLM app development platform. Prior to version 1.3.0, a clickjacking vulnerability was found in the default setup of the DIFY application, allowing malicious actors to trick users into clicking on elements of the web page without their knowledge or consent. This can lead to unauthorized actions being performed, potentially compromising the security and privacy of users. This issue has been fixed in version 1.3.0.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Langgenius | Dify | <= 0.6.8 |
Related Weaknesses (CWE)
References
- https://github.com/langgenius/dify/pull/18516Issue TrackingPatch
- https://github.com/langgenius/dify/security/advisories/GHSA-jhgq-cx3f-vj5pVendor Advisory
- https://github.com/langgenius/dify/security/advisories/GHSA-jhgq-cx3f-vj5pVendor Advisory
FAQ
What is CVE-2025-43854?
CVE-2025-43854 is a vulnerability with a CVSS score of 6.1 (MEDIUM). DIFY is an open-source LLM app development platform. Prior to version 1.3.0, a clickjacking vulnerability was found in the default setup of the DIFY application, allowing malicious actors to trick use...
How severe is CVE-2025-43854?
CVE-2025-43854 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-43854?
Check the references section above for vendor advisories and patch information. Affected products include: Langgenius Dify.