CVE-2025-63387

Description

Dify v1.9.1 is vulnerable to Insecure Permissions. An unauthenticated attacker can directly send HTTP GET requests to the /console/api/system-features endpoint without any authentication credentials or session tokens. The endpoint fails to implement proper authorization checks, allowing anonymous access to sensitive system configuration data.

PUBLISHED Reserved 2025-10-27 | Published 2025-12-18 | Updated 2025-12-19 | Assigner mitre

References

github.com/langgenius/dify/discussions

gist.github.com/Cristliu/cddc0cbbf354de51106ab63a11be94af

cve.org (CVE-2025-63387)

nvd.nist.gov (CVE-2025-63387)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.