CVE-2025-63387

Name of the Vulnerable Software and Affected Versions Dify version 1.9.1

Description Dify version 1.9.1 has an issue with insecure permissions. An attacker who is not authenticated can send HTTP GET requests to the /console/api/system-features API endpoint without providing any authentication. The endpoint does not properly verify authorization, allowing unauthorized access to sensitive system configuration data. Approximately 85,000 instances have been identified online over the past year.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the /console/api/system-features endpoint.