CVE-2025-32790

Medium CVSS: 6.3

Dify is an open-source LLM app development platform. In versions 0.6.8 and prior, a vulnerability was identified in the DIFY AI where normal users are improperly granted permissions to export APP DSL. The feature in '/export' should only allow administrator users to export DSL. A workaround for this vulnerability involves updating the access control mechanisms to enforce stricter user role permissions and implementing role-based access controls (RBAC) to ensure that only users with admin privileges can export the APP DSL. This vulnerability is fixed in 0.6.13.

Vendor

Langgenius

Product

Dify

CWE

CWE-284

Yayın Tarihi

2025-04-18 13:15:58

Güncelleme

2025-06-19 00:36:04

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-284 Dify MEDIUM Langgenius 2025

Referanslar

https://github.com/langgenius/dify/commit/59ad091e69736bc9dc1a3bace62ec0a232346246 https://github.com/langgenius/dify/pull/5841 https://github.com/langgenius/dify/security/advisories/GHSA-jp6m-v4gw-5vgp https://github.com/langgenius/dify/security/advisories/GHSA-jp6m-v4gw-5vgp

Benzer Kayıtlar

High

CVE-2025-63387

Dify v1.9.1 is vulnerable to Insecure Permissions. An unauthenticated attacker can directly send HTTP GET requests to th…

Critical

CVE-2025-56157

Default credentials in Dify thru 1.5.1. PostgreSQL username and password specified in the docker-compose.yaml file inclu…

Critical

CVE-2025-63386

A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/setup en…

Critical

CVE-2025-63388

A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/system-f…

Medium

CVE-2025-11750

In langgenius/dify-web version 1.6.0, the authentication mechanism reveals the existence of user accounts by returning d…

Low

CVE-2025-58747

Dify is an LLM application development platform. In Dify versions through 1.9.1, the MCP OAuth component is vulnerable t…