CVE-2025-63388 identifies a critical security flaw in Dify version 1.9.1, specifically within the /console/api/system-features endpoint. The vulnerability is a CORS misconfiguration where the server reflects the Origin header value from incoming requests without validation and sets Access-Control-Allow-Credentials to true. This combination violates secure CORS practices by allowing any external domain to make authenticated cross-origin requests, effectively bypassing the browser's same-origin policy. When a user authenticated to Dify visits a malicious website, that site can silently perform actions or retrieve sensitive information from the vulnerable endpoint using the victim's credentials. This can lead to unauthorized data disclosure, account manipulation, or other malicious activities depending on the endpoint's functionality. The vulnerability does not require user interaction beyond visiting a malicious site, and no authentication bypass is needed since the victim must already be authenticated. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The lack of a CVSS score necessitates an independent severity assessment based on impact and exploitability factors.

For European organizations, this vulnerability poses a significant risk to confidentiality and integrity of data accessed through Dify, especially if used for managing sensitive or internal systems. Attackers can exploit this flaw to perform unauthorized actions or extract sensitive information by leveraging authenticated sessions of legitimate users. This could lead to data breaches, unauthorized configuration changes, or lateral movement within networks. Organizations relying on Dify for critical workflows or those integrating it with other internal tools may face operational disruptions or compliance violations under GDPR if personal data is exposed. The vulnerability's exploitation could also undermine trust in digital services and lead to reputational damage. Since the vulnerability requires the victim to be authenticated, organizations with high numbers of remote or mobile users are particularly vulnerable. The absence of known exploits currently provides a window for proactive mitigation before widespread attacks occur.

To mitigate CVE-2025-63388, organizations should immediately audit and restrict the CORS policy on the /console/api/system-features endpoint. Specifically, the server must validate the Origin header against a whitelist of trusted domains rather than reflecting it blindly. Access-Control-Allow-Credentials should only be set to true if absolutely necessary and only for trusted origins. Implementing strict Content Security Policy (CSP) headers can help reduce the risk of malicious cross-origin requests. Additionally, organizations should monitor logs for unusual cross-origin requests and user activity patterns indicative of exploitation attempts. If possible, disable or limit the use of the vulnerable endpoint until a patch is released. Educate users about the risks of visiting untrusted websites while authenticated to sensitive services. Finally, maintain an up-to-date inventory of software versions and apply security patches promptly once available from the vendor.