XSS Vulnerability in langgenius/dify Affects Firefox Browsers
CVE-2025-3467

5.4MEDIUM

Key Information:

Vendor

Langgenius

Status
Langgenius/dify
Vendor
CVE Published:
7 July 2025

Badges

đź“° News Worthy

What is CVE-2025-3467?

A vulnerability exists within langgenius/dify that affects certain versions when accessed through Firefox browsers. This Cross-Site Scripting (XSS) flaw enables attackers to execute malicious scripts, thereby capturing the administrator's token via payloads sent in published chats. When the administrator subsequently views this chat content through the monitoring feature, the malicious script triggers, potentially leading to the unauthorized disclosure of sensitive token information.

Affected Version(s)

langgenius/dify < 1.1.3

News Articles

favicon imageYanac.hu

CVE-2025-3467 | langgenius dify up to 1.1.2 Monitoring/Log cross site scripting

A vulnerability classified as problematic has been found in langgenius dify up to 1.1.2. This affects an unknown part of the component Monitoring/Log. The manipulation leads to cross site scriptin…

References

https://huntr.com/bounties/21723441-7b55-425c-abc4-b1331a...
https://github.com/langgenius/dify/commit/72deb3bed0b0d5d...

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

CVSS V3.0

Score:
8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • đź“°

    First article discovered by Yanac.hu

  • Vulnerability published

  • Vulnerability Reserved

JSON
.