Clickjacking Vulnerability in DIFY Application by Lang Genius
CVE-2025-43854

2.3LOW

Key Information:

Vendor
Langgenius
Status
Vendor
CVE Published:
28 April 2025

Summary

The DIFY open-source LLM app development platform contains a clickjacking vulnerability in its default setup prior to version 1.3.0. This flaw enables malicious actors to manipulate the web interface, deceiving users into unintentionally clicking on concealed elements. As a result, unauthorized actions can be performed, potentially jeopardizing users' security and privacy. Users are advised to update to version 1.3.0 to mitigate this risk.

Affected Version(s)

dify < 1.3.0

References

CVSS V4

Score:
2.3
Severity:
LOW
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.