CVE-2025-43854

Low CVSS: 2.3

DIFY is an open-source LLM app development platform. Prior to version 1.3.0, a clickjacking vulnerability was found in the default setup of the DIFY application, allowing malicious actors to trick users into clicking on elements of the web page without their knowledge or consent. This can lead to unauthorized actions being performed, potentially compromising the security and privacy of users. This issue has been fixed in version 1.3.0.

Vendor

Langgenius

Product

Dify

CWE

CWE-1021

Yayın Tarihi

2025-04-28 16:15:33

Güncelleme

2025-05-12 19:37:01

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-1021 Dify LOW Langgenius 2025

Referanslar

https://github.com/langgenius/dify/pull/18516 https://github.com/langgenius/dify/security/advisories/GHSA-jhgq-cx3f-vj5p https://github.com/langgenius/dify/security/advisories/GHSA-jhgq-cx3f-vj5p

Benzer Kayıtlar

High

CVE-2025-63387

Dify v1.9.1 is vulnerable to Insecure Permissions. An unauthenticated attacker can directly send HTTP GET requests to th…

Critical

CVE-2025-56157

Default credentials in Dify thru 1.5.1. PostgreSQL username and password specified in the docker-compose.yaml file inclu…

Critical

CVE-2025-63386

A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/setup en…

Critical

CVE-2025-63388

A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/system-f…

Medium

CVE-2025-11750

In langgenius/dify-web version 1.6.0, the authentication mechanism reveals the existence of user accounts by returning d…

Low

CVE-2025-58747

Dify is an LLM application development platform. In Dify versions through 1.9.1, the MCP OAuth component is vulnerable t…