CVE-2025-63388

CRITICAL

Dify v1.9.1 - CSRF

Title source: llm

Description

A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/system-features endpoint. The endpoint implements an overly permissive CORS policy that reflects arbitrary Origin headers and sets Access-Control-Allow-Credentials: true, allowing any external domain to make authenticated cross-origin requests. NOTE: the Supplier disputes this, providing the rationale of "sending requests with credentials does not provide any additional access compared to unauthenticated requests."

References (3)

Scores

CVSS v3 9.1
EPSS 0.0001
EPSS Percentile 0.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Classification

CWE
CWE-346
Status published

Affected Products (1)

langgenius/dify

Timeline

Published Dec 18, 2025
Tracked Since Feb 18, 2026