CVE-2025-63388 — CRITICAL (9.1)

Vulnerability Description

A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/system-features endpoint. The endpoint implements an overly permissive CORS policy that reflects arbitrary Origin headers and sets Access-Control-Allow-Credentials: true, allowing any external domain to make authenticated cross-origin requests. NOTE: the Supplier disputes this, providing the rationale of "sending requests with credentials does not provide any additional access compared to unauthenticated requests."

CVSS Score

9.1

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Langgenius	Dify	1.9.1

Related Weaknesses (CWE)

CWE-346

References

https://gist.github.com/Cristliu/5ded6d03e41d7d66ecb1b568bae3ff6cThird Party Advisory
https://gist.github.com/Cristliu/c2bc7d05abd89db8eb542a453a528d77
https://github.com/langgenius/dify/discussionsIssue Tracking

FAQ

What is CVE-2025-63388?

CVE-2025-63388 is a vulnerability with a CVSS score of 9.1 (CRITICAL). A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/system-features endpoint. The endpoint implements an overly permissive CORS policy that ...

How severe is CVE-2025-63388?

CVE-2025-63388 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2025-63388?

Check the references section above for vendor advisories and patch information. Affected products include: Langgenius Dify.