Home

Description

A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/system-features endpoint. The endpoint implements an overly permissive CORS policy that reflects arbitrary Origin headers and sets Access-Control-Allow-Credentials: true, allowing any external domain to make authenticated cross-origin requests.

PUBLISHED Reserved 2025-10-27 | Published 2025-12-18 | Updated 2025-12-19 | Assigner mitre

References

github.com/langgenius/dify/discussions

gist.github.com/Cristliu/5ded6d03e41d7d66ecb1b568bae3ff6c

cve.org (CVE-2025-63388)

nvd.nist.gov (CVE-2025-63388)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.