cbcvebase.
CVE-2025-63387
published 2025-12-18

CVE-2025-63387: Dify v1.9.1 is vulnerable to Insecure Permissions. An unauthenticated attacker can directly send HTTP GET requests to the /console/api/system-features endpoint…

PriorityP185high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
28.04%
97.9th percentile
Dify v1.9.1 is vulnerable to Insecure Permissions. An unauthenticated attacker can directly send HTTP GET requests to the /console/api/system-features endpoint without any authentication credentials or session tokens. The endpoint fails to implement proper authorization checks, allowing anonymous access to sensitive system configuration data. NOTE: The maintainer states that the endpoint is unauthenticated by design and serves as a bootstrap mechanism required for the dashboard initialization. They also state that the description inaccurately classifies the returned data as sensitive system configuration, stating that the data is non-sensitive and required for client-side rendering. No PII, credentials, or secrets are exposed.

Affected

1 ranges
VendorProductVersion rangeFixed in
langgeniusdify

Detection & IOCsextracted from sources · hover to see the quote

url/console/api/system-features
  • Send an unauthenticated HTTP GET request to /console/api/system-features; a vulnerable Dify instance will return HTTP 200 with a JSON body containing both '"status":' and '"sso_enforced_for_signin":' fields and Content-Type: application/json.
  • FOFA query 'app="Dify"' can be used to identify internet-exposed Dify instances potentially affected by this unauthenticated endpoint.
  • ·The Dify maintainer states the /console/api/system-features endpoint is intentionally unauthenticated by design, serving as a bootstrap mechanism for dashboard initialization, and that the returned data is non-sensitive (no PII, credentials, or secrets exposed). Detection of a 200 response does NOT necessarily indicate a misconfiguration or compromise.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.