Clickjacking Vulnerability in DIFY Application by Lang Genius
CVE-2025-43854

2.3LOW

Key Information:

Vendor: Langgenius
Status: Dify
Vendor: CVE Published:; 28 April 2025

Summary

The DIFY open-source LLM app development platform contains a clickjacking vulnerability in its default setup prior to version 1.3.0. This flaw enables malicious actors to manipulate the web interface, deceiving users into unintentionally clicking on concealed elements. As a result, unauthorized actions can be performed, potentially jeopardizing users' security and privacy. Users are advised to update to version 1.3.0 to mitigate this risk.

Affected Version(s)

dify < 1.3.0

References

https://github.com/langgenius/dify/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/langgenius/dify/pull/18516

x_refsource_MISC

CVSS V4

Score:

2.3

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Timeline

Vulnerability published
Apr 28, 2025
Vulnerability Reserved
Apr 17, 2025