CVE-2025-58747 is a cross-site scripting vulnerability classified under CWE-79, affecting the langgenius dify platform, an LLM application development environment. The vulnerability exists in the OAuth flow implementation of the MCP OAuth component in dify versions up to 1.9.1. Specifically, the authorization_url parameter, which is expected to be a URL for OAuth authorization, is directly passed to the JavaScript function window.open without any validation or sanitization. This allows an attacker who controls a remote MCP OAuth server to craft a malicious authorization_url containing a JavaScript URI scheme (e.g., javascript:alert(1)). When a user connects to this attacker-controlled MCP server, the malicious script executes in the context of the dify application, enabling arbitrary JavaScript execution. This can lead to session hijacking, data theft, or other client-side attacks depending on the application's context and privileges. The vulnerability requires user interaction (the user must connect to the malicious MCP server) but does not require authentication or elevated privileges. The CVSS 4.0 base score is 2.0, reflecting low severity due to the need for user interaction and limited scope of impact. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability highlights the importance of input validation and sanitization in OAuth flows, especially when dealing with external or third-party servers.

For European organizations, the impact of this vulnerability is primarily on the confidentiality and integrity of user sessions within the dify platform. If exploited, attackers could execute arbitrary JavaScript, potentially stealing sensitive information, manipulating user interactions, or performing actions on behalf of the user within the application context. However, the requirement for user interaction and connection to a malicious MCP server limits the attack surface. Organizations using dify in environments where users might connect to untrusted or external MCP servers are at higher risk. The vulnerability could undermine trust in AI application development platforms and disrupt workflows if exploited. Given the growing adoption of AI and LLM development platforms in Europe, especially in countries investing heavily in AI research and development, this vulnerability could pose a reputational and operational risk. However, the low CVSS score and absence of known exploits suggest the immediate risk is limited but should not be ignored.

1. Avoid connecting to untrusted or unknown MCP OAuth servers within the dify platform until a patch is available. 2. Implement network-level controls to restrict connections to only trusted MCP servers. 3. Monitor user activity for unusual OAuth connection attempts or unexpected redirects. 4. Encourage users to report suspicious authorization prompts or unexpected behavior during OAuth flows. 5. Once available, promptly apply security patches or updates from langgenius addressing this vulnerability. 6. Consider implementing additional client-side input validation or sanitization in custom deployments or forks of dify. 7. Educate developers and users about the risks of connecting to untrusted third-party OAuth providers. 8. Employ Content Security Policy (CSP) headers to restrict script execution sources in the dify application environment, mitigating the impact of potential XSS attacks.