Insecure Permissions in Dify by LangGenius

CVE-2025-63387

What is CVE-2025-63387?

CVE-2025-63387 is a vulnerability identified in version 1.9.1 of the Dify software developed by LangGenius. Dify serves as a platform designed to facilitate various system functionalities, potentially including data management and user interactions. The vulnerability resides in insecure permissions that permit unauthenticated attackers to issue HTTP GET requests to the /console/api/system-features endpoint without needing any form of authentication or session tokens. This flaw allows unauthorized individuals to access sensitive system configuration data, compromising the security and integrity of the system. The lack of proper authorization checks could lead to significant risks for organizations utilizing this software, exposing critical information and potentially enabling further attacks.

Potential impact of CVE-2025-63387

1. Data Exposure: Unauthorized access to sensitive configuration data can result in exposure of critical system parameters, which attackers could leverage to plan further attacks or exploit other vulnerabilities within the system.

2. Loss of System Integrity: With the ability to access and manipulate system features without proper authentication, an attacker could alter settings that might disrupt normal operations, leading to downtime and loss of service.

3. Increased Attack Surface: By providing a pathway for unauthenticated access, this vulnerability can facilitate further intrusions into the network, increasing the likelihood of more severe incidents, such as data breaches or ransomware deployment.

References