CVE-2025-43854

MEDIUM

DIFY <1.3.0 - CSRF

Title source: llm

Description

DIFY is an open-source LLM app development platform. Prior to version 1.3.0, a clickjacking vulnerability was found in the default setup of the DIFY application, allowing malicious actors to trick users into clicking on elements of the web page without their knowledge or consent. This can lead to unauthorized actions being performed, potentially compromising the security and privacy of users. This issue has been fixed in version 1.3.0.

References (2)

[Vendor Advisory] https://github.com/langgenius/dify/security/advisories/GHSA-jhgq-cx3f-vj5p

[Issue Tracking, Patch] https://github.com/langgenius/dify/pull/18516

Scores

CVSS v3 6.1

EPSS 0.0017

EPSS Percentile 38.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-1021

Status published

Products (1)

langgenius/dify < 0.6.8

Published Apr 28, 2025

Tracked Since Feb 18, 2026