CVE-2025-63388 identifies a critical security vulnerability in the Dify software version 1.9.1, specifically within the /console/api/system-features endpoint. The vulnerability is a Cross-Origin Resource Sharing (CORS) misconfiguration categorized under CWE-346, which involves improper validation of origin headers. The endpoint reflects arbitrary Origin headers and sets the Access-Control-Allow-Credentials header to true, which allows browsers to include user credentials such as cookies, HTTP authentication, or client-side SSL certificates in cross-origin requests. This combination effectively permits any external domain to perform authenticated requests on behalf of a user, potentially exposing sensitive information or allowing unauthorized actions. The vulnerability does not require any privileges or user interaction, making it exploitable remotely over the network. The supplier disputes the impact, arguing that credentialed requests do not provide more access than unauthenticated ones; however, the CVSS v3.1 score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) reflects a critical severity due to the high impact on confidentiality and integrity without requiring authentication or user interaction. No patches or fixes have been released at the time of publication, and no known exploits have been reported in the wild. Organizations using Dify v1.9.1 should consider this vulnerability a significant risk, especially in environments where sensitive data is processed or stored.

For European organizations, exploitation of this vulnerability could lead to unauthorized disclosure of sensitive information and unauthorized modification of data, severely impacting confidentiality and integrity. Since the vulnerability allows cross-origin requests with credentials, attackers could leverage malicious websites to perform actions on behalf of authenticated users without their consent. This could result in data breaches, unauthorized configuration changes, or exposure of internal system features. The lack of required authentication or user interaction increases the risk of automated exploitation at scale. Organizations in sectors such as finance, healthcare, and government, which often handle sensitive personal and operational data, are particularly at risk. The potential impact includes regulatory non-compliance with GDPR due to data breaches, reputational damage, and operational disruptions. The absence of a patch means organizations must rely on mitigation strategies until an official fix is available.

1. Immediately restrict the CORS policy on the /console/api/system-features endpoint to allow only trusted origins explicitly, avoiding reflection of arbitrary Origin headers. 2. Set Access-Control-Allow-Credentials to false unless absolutely necessary, and if used, ensure strict origin validation. 3. Implement server-side validation of Origin headers against a whitelist of allowed domains to prevent unauthorized cross-origin requests. 4. Employ Content Security Policy (CSP) headers to limit the domains that can interact with the application. 5. Monitor network traffic and logs for unusual cross-origin requests or suspicious activities targeting the vulnerable endpoint. 6. If possible, disable or restrict access to the /console/api/system-features endpoint until a patch is released. 7. Engage with the vendor for timely updates and patches, and apply them as soon as they become available. 8. Conduct penetration testing and code reviews focused on CORS configurations across all web-facing services. 9. Educate developers and administrators on secure CORS implementation best practices to prevent similar vulnerabilities.