Unrated severityOSV Advisory· Published Dec 18, 2025· Updated Feb 11, 2026

CVE-2025-63386

Description

A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/setup endpoint. The endpoint implements an insecure CORS policy that reflects any Origin header and enables Access-Control-Allow-Credentials: true, permitting arbitrary external domains to make authenticated requests. NOTE: the Supplier disputes this because the endpoint configuration is intentional to support bootstrap.

Affected products

Langgenius/DifyOSV
Range: 0.10.0, 0.10.1, 0.10.2, …

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

gist.github.com/Cristliu/1610daac87c711ac3e0250c58f5cc4f9mitre
gist.github.com/Cristliu/8ad993126be05c9210c71cc7d49fa112mitre
github.com/langgenius/dify/pull/32224mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000