CVE-2025-58747

Name of the Vulnerable Software and Affected Versions Dify versions through 1.9.1

Description The Dify platform, used for LLM application development, has a flaw in its MCP OAuth component. When a user connects to a remotely controlled MCP server managed by an attacker, cross-site scripting can occur. This happens because the authorization url received from the remote MCP server is directly passed to window.open without proper checks or sanitization. An attacker can create a malicious MCP server that sends a JavaScript URI, like javascript:alert(1), within the authorization url. When a user tries to connect to this server, the malicious JavaScript is executed within the Dify application, allowing the attacker to run arbitrary code.

Recommendations Update Dify to a version later than 1.9.1.