CVE-2025-63386

Description

A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/setup endpoint. The endpoint implements an insecure CORS policy that reflects any Origin header and enables Access-Control-Allow-Credentials: true, permitting arbitrary external domains to make authenticated requests.

PUBLISHED Reserved 2025-10-27 | Published 2025-12-18 | Updated 2025-12-19 | Assigner mitre

References

github.com/langgenius/dify/discussions

gist.github.com/Cristliu/1610daac87c711ac3e0250c58f5cc4f9

cve.org (CVE-2025-63386)

nvd.nist.gov (CVE-2025-63386)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.