VYPR
Unrated severityOSV Advisory· Published Dec 18, 2025· Updated Feb 11, 2026

CVE-2025-63386

CVE-2025-63386

Description

A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/setup endpoint. The endpoint implements an insecure CORS policy that reflects any Origin header and enables Access-Control-Allow-Credentials: true, permitting arbitrary external domains to make authenticated requests. NOTE: the Supplier disputes this because the endpoint configuration is intentional to support bootstrap.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Langgenius/DifyOSV2 versions
    0.10.0, 0.10.1, 0.10.2, …+ 1 more
    • (no CPE)range: 0.10.0, 0.10.1, 0.10.2, …
    • (no CPE)range: = v1.9.1

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.