CVE 9.1 CRITICAL

CVE-2025-63388_CVE-2025-63388

December 19, 2025 invoker category_cve
9.1 / 10
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Description

A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/system-features endpoint. The endpoint implements an overly permissive CORS policy that reflects arbitrary Origin headers and sets Access-Control-Allow-Credentials: true, allowing any external domain to make authenticated cross-origin requests.

AI Analysis

CORS misconfiguration vulnerability allowing authenticated cross-origin requests

Basic Information

ID CVE-2025-63388
Source mitre
Published Dec 18, 2025 at 00:00
Modified Dec 19, 2025 at 21:29

Affected Product

Vendor langgenius
Product Dify
Version 1.9.1
Affected Versions n/a n/a n/a

CWE Classification

CWE-346

AI Assessment

AI Score 9.1 / 10
AI Severity Critical
Vendor langgenius
Product Dify
Version 1.9.1

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.