CVEDB API

Vulnerabilities

By Date
Known Exploited
Advanced Search

Vulnerable Software

Vendors
Products

Vulnerability Details CVE-2025-63387

Dify v1.9.1 is vulnerable to Insecure Permissions. An unauthenticated attacker can directly send HTTP GET requests to the /console/api/system-features endpoint without any authentication credentials or session tokens. The endpoint fails to implement proper authorization checks, allowing anonymous access to sensitive system configuration data.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.045

EPSS Ranking 88.8%

CVSS Severity

CVSS v3 Score 7.5

References

https://gist.github.com/Cristliu/cddc0cbbf354de51106ab63a11be94af
https://github.com/langgenius/dify/discussions

Products affected by CVE-2025-63387

Langgenius » Dify » Version: 1.9.1

cpe:2.3:a:langgenius:dify:1.9.1

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2025-63387

Products

Pricing

Contact Us