CVE-2025-63387 Scanner

Dify is a widely used application in various industries for managing and controlling system features and configurations. IT administrators and technical teams primarily use it to streamline system processes and ensure seamless integration across platforms. With Dify, users can access a centralized interface to modify system settings, monitor processes, and enhance overall infrastructure management. The platform offers detailed analytics and customizable settings, making it an essential tool for organizations aiming to improve operational efficiency. However, as with many complex systems, vulnerabilities may arise, requiring consistent monitoring and timely updates to protect against potential security breaches.

Missing Authorization is a critical vulnerability where access control measures are insufficient, allowing unauthorized users to gain access to sensitive areas of the application. In Dify v1.9.1, this vulnerability is due to inadequate authorization checks in the /console/api/system-features endpoint. Unauthenticated attackers can exploit this flaw to access restricted system configuration data. Without proper access control, sensitive information could be exposed, potentially compromising the integrity and security of the system. This type of vulnerability is especially concerning because it does not require prior authentication, widening the potential attack surface.

The vulnerability in Dify v1.9.1 is specifically located in the endpoint /console/api/system-features, which lacks proper authorization checks. This flaw allows unauthenticated attackers to send requests to this endpoint and receive sensitive configuration data in response. The lack of verification for user credentials at this endpoint makes it vulnerable to exploitation. Attackers can easily reproduce this vulnerability by crafting a simple HTTP GET request to this endpoint and analyzing the JSON response for configuration details. The primary issue here is the failure to enforce strict authorization protocols, which would typically protect such sensitive data from unauthorized access.

If exploited, the Missing Authorization vulnerability in Dify can lead to significant security breaches. Unauthorized access to system configuration data can provide attackers with insights into the system's setup, potentially leading to further exploits within the infrastructure. Information disclosure from the system-features endpoint could reveal critical details such as enabled features, enforced security protocols, and other sensitive configurations. Such disclosure can aid attackers in planning additional attacks or bypassing existing security measures. Ultimately, this vulnerability can compromise the confidentiality, integrity, and availability of the system and its data.

REFERENCES

• https://nvd.nist.gov/vuln/detail/CVE-2025-63387