Clickjacking Vulnerability in DIFY Application by Lang Genius
CVE-2025-43854
2.3LOW
Summary
The DIFY open-source LLM app development platform contains a clickjacking vulnerability in its default setup prior to version 1.3.0. This flaw enables malicious actors to manipulate the web interface, deceiving users into unintentionally clicking on concealed elements. As a result, unauthorized actions can be performed, potentially jeopardizing users' security and privacy. Users are advised to update to version 1.3.0 to mitigate this risk.
Affected Version(s)
dify < 1.3.0
References
CVSS V4
Score:
2.3
Severity:
LOW
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown
Timeline
Vulnerability published
Vulnerability Reserved