CVE-2025-63386
CRITICALDescription
A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/setup endpoint. The endpoint implements an insecure CORS policy that reflects any Origin header and enables Access-Control-Allow-Credentials: true, permitting arbitrary external domains to make authenticated requests. NOTE: the Supplier disputes this because the endpoint configuration is intentional to support bootstrap.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| langgenius | dify |
References
Frequently Asked Questions
What is CVE-2025-63386? +
How severe is CVE-2025-63386? +
What products are affected by CVE-2025-63386? +
How do I check if I'm vulnerable to CVE-2025-63386? +
Related Vulnerabilities
OPPO Wallet APP contains a trusted domain validation flaw that allows attackers to bypass protected interface access restrictions, which may …
Idira Identity Browser Extension (Chrome, Firefox, and Edge builds) versions prior to 26.8.1 exhibit an origin validation flaw within its …
Improper Verification of Source of a Communication Channel in Work Desktop for Mac versions 10.8.1.46 and earlier allows attackers to …
"This issue is limited to motherboards and does not affect laptops, desktop computers, or other endpoints." An insufficient validation in …
In Sipwise rtpengine before 13.4.1.1, an origin-validation error in the endpoint-learning logic of the media-relay core allows remote attackers to …
DNS rebinding vulnerability in Neo4j Cypher MCP server allows malicious websites to bypass Same-Origin Policy protections and execute unauthorised tool …