CVE-2025-63387 identifies a security vulnerability in Dify version 1.9.1 related to insecure permissions on the /console/api/system-features HTTP endpoint. This endpoint does not enforce authentication or authorization, allowing any unauthenticated attacker to send HTTP GET requests and retrieve sensitive system configuration data. The absence of session token validation or access control checks means that attackers can bypass normal security mechanisms and gain insight into system features that should be restricted. Such information disclosure can facilitate further attacks, including targeted exploitation or lateral movement within a network. Although the affected versions are not explicitly detailed beyond v1.9.1, the vulnerability is significant due to the direct exposure of sensitive data without any barriers. No public exploits have been reported yet, but the vulnerability's nature makes it relatively straightforward to exploit. The lack of a CVSS score requires an independent severity assessment. Given the impact on confidentiality, ease of exploitation without authentication, and potential scope of affected systems, the vulnerability is assessed as high severity. The vulnerability highlights the critical need for proper access control implementation on administrative or configuration endpoints in web applications.

For European organizations, this vulnerability could lead to unauthorized disclosure of sensitive system configuration data, which may include information about system features, configurations, or security settings. Such exposure can aid attackers in crafting more effective attacks, potentially leading to data breaches, service disruptions, or unauthorized access to other parts of the network. Organizations in sectors with strict data protection regulations, such as finance, healthcare, and critical infrastructure, face increased compliance risks and reputational damage if exploited. The ease of exploitation without authentication increases the threat surface, making even perimeter defenses insufficient. Additionally, the vulnerability could be leveraged for reconnaissance by advanced persistent threat (APT) groups targeting European entities. The lack of known exploits currently provides a window for mitigation before widespread exploitation occurs.

1. Immediately restrict access to the /console/api/system-features endpoint by implementing robust authentication and authorization mechanisms, ensuring only authorized users can query this endpoint. 2. Employ network-level access controls such as IP whitelisting or VPN requirements to limit endpoint exposure. 3. Conduct a thorough audit of all API endpoints to verify proper access controls are in place, especially those exposing system or configuration data. 4. Monitor logs for unusual or unauthorized access attempts to this endpoint to detect potential exploitation attempts early. 5. Engage with the Dify vendor or community to obtain patches or updates addressing this vulnerability as soon as they become available. 6. Implement web application firewalls (WAF) rules to block unauthenticated requests to sensitive endpoints. 7. Educate development and operations teams on secure API design principles to prevent similar issues in future releases.