CVE-2025-63386

Published: Dec 18, 2025

Modified: Feb 11, 2026

PUBLISHED

Description

A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/setup endpoint. The endpoint implements an insecure CORS policy that reflects any Origin header and enables Access-Control-Allow-Credentials: true, permitting arbitrary external domains to make authenticated requests. NOTE: the Supplier disputes this because the endpoint configuration is intentional to support bootstrap.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/langgenius/dify/discussions

https://gist.github.com/Cristliu/1610daac87c711ac3e0250c58f5cc4f9

https://gist.github.com/Cristliu/8ad993126be05c9210c71cc7d49fa112

https://github.com/langgenius/dify/pull/32224

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-63386

Description

Affected Products

References