{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-63387", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-12-18T18:20:20.714Z", "dateReserved": "2025-10-27T00:00:00.000Z", "datePublished": "2025-12-18T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-12-18T18:20:20.714Z"}, "descriptions": [{"lang": "en", "value": "Dify v1.9.1 is vulnerable to Insecure Permissions. An unauthenticated attacker can directly send HTTP GET requests to the /console/api/system-features endpoint without any authentication credentials or session tokens. The endpoint fails to implement proper authorization checks, allowing anonymous access to sensitive system configuration data."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/langgenius/dify/discussions"}, {"url": "https://gist.github.com/Cristliu/cddc0cbbf354de51106ab63a11be94af"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Dify v1.9.1 is vulnerable to Insecure Permissions. An unauthenticated attacker can directly send HTTP GET requests to the /console/api/system-features endpoint without any authentication credentials or session tokens. The endpoint fails to implement proper authorization checks, allowing anonymous access to sensitive system configuration data."}], "id": "CVE-2025-63387", "lastModified": "2025-12-18T19:16:33.157", "metrics": {}, "published": "2025-12-18T19:16:33.157", "references": [{"source": "cve@mitre.org", "url": "https://gist.github.com/Cristliu/cddc0cbbf354de51106ab63a11be94af"}, {"source": "cve@mitre.org", "url": "https://github.com/langgenius/dify/discussions"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received"}

{}

{"created": "2025-12-19T09:18:04.239320+00:00", "updated": "2025-12-19T09:18:04.239346+00:00", "vendors": ["langgenius", "langgenius$PRODUCT$dify"]}