Cross-Site Scripting Vulnerability in Dify Open-Source App Development Platform
CVE-2025-49149

5.3MEDIUM

Key Information:

Vendor: Langgenius
Status: Dify
Vendor: CVE Published:; 17 June 2025

What is CVE-2025-49149?

Dify, an open-source large language model (LLM) app development platform, suffers from a significant vulnerability due to inadequate filtering of user input. In version 1.2.0, this flaw allows attackers to inject malicious scripts into web pages, potentially resulting in a cross-site scripting (XSS) attack when unsuspecting users interact with affected sites. It is crucial for developers and users of Dify to be aware of this vulnerability and implement security measures until a patched version is released.

Affected Version(s)

dify = 1.2.0

References

https://github.com/langgenius/dify/security/advisories/GH...

x_refsource_CONFIRM

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 17, 2025
Vulnerability Reserved
Jun 2, 2025

Langgenius

What is CVE-2025-49149?

Affected Version(s)

References

CVSS V4

Timeline