CVE-2025-11750 Overview
CVE-2025-11750 is a user account enumeration vulnerability in langgenius/dify-web version 1.6.0. The authentication mechanism returns distinct error messages depending on whether a submitted username or email exists in the system. When an account does not exist, the application responds with a message such as account not found. When the account exists but the password is incorrect, a different error message is returned. This behavioral discrepancy allows attackers to differentiate valid accounts from invalid ones through automated probing. Enumerated accounts can then be targeted with brute force, credential stuffing, or social engineering attacks.
Critical Impact
Unauthenticated remote attackers can enumerate valid user accounts by observing differential error responses from the login and registration endpoints, enabling downstream account takeover campaigns.
Affected Products
- langgenius dify version 1.6.0
- Dify web application deployments running on Node.js
- Self-hosted Dify instances exposing login or registration endpoints
Discovery Timeline
- 2025-10-22 - CVE-2025-11750 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-11750
Vulnerability Analysis
The vulnerability falls under [CWE-544] and represents an information disclosure flaw through inconsistent authentication responses. Dify's login and registration flows expose the account existence state through unique error strings. An attacker submitting a list of candidate emails receives clear signals differentiating registered users from unregistered ones. The endpoint requires no authentication and no user interaction, making automated enumeration straightforward at scale.
Dify is an open-source large language model (LLM) application development platform. Instances often host administrative accounts, developer accounts, and API integration users. Enumerating these accounts provides attackers with a targeted list for follow-on attacks against a high-value population.
Root Cause
The root cause is improper design of authentication feedback. The application distinguishes between the account not found condition and the invalid password condition at the response layer instead of returning a single generic failure message. This violates the principle that authentication endpoints must not reveal the existence of accounts to unauthenticated clients.
Attack Vector
The attack vector is network-based and requires no privileges or user interaction. An attacker automates POST requests to the login or registration endpoints using a wordlist of email addresses. By parsing the returned error text or response structure, the attacker classifies each submission as either a hit or miss. The resulting list of valid accounts feeds directly into credential stuffing tools, password spraying campaigns, or targeted phishing kits.
Refer to the Huntr Bug Bounty Report for the original disclosure details.
Detection Methods for CVE-2025-11750
Indicators of Compromise
- High volume of failed login or registration attempts from a single IP address or narrow IP range against /console/api/login or the registration endpoint.
- Sequential submissions of email addresses drawn from public breach corpora or common naming conventions.
- Elevated ratio of account not found responses in Dify application logs over short time windows.
Detection Strategies
- Instrument the Dify web tier to log all authentication response codes and correlate response type by source IP and user agent.
- Alert on any client that receives more than a defined threshold of distinct account-existence error responses within a rolling window.
- Deploy a web application firewall (WAF) rule to rate limit requests to the login and registration endpoints.
Monitoring Recommendations
- Forward Dify application and reverse proxy logs to a centralized SIEM for enumeration pattern analysis.
- Track baseline volumes of failed authentication events and alert on statistical anomalies.
- Correlate enumeration attempts against a given account with subsequent successful logins to detect account takeover.
How to Mitigate CVE-2025-11750
Immediate Actions Required
- Upgrade langgenius/dify-web to a version later than 1.6.0 once a fix is published by the maintainers.
- Place the Dify login and registration endpoints behind an authenticating reverse proxy or VPN where feasible.
- Enforce strict rate limiting and IP reputation filtering on all authentication endpoints.
Patch Information
At the time of publication, no vendor advisory URL is listed in the NVD entry. Monitor the langgenius/dify GitHub repository and the Huntr disclosure for the official fix. The remediation must return a single generic error message for both non-existent accounts and invalid passwords across the login and registration flows.
Workarounds
- Deploy a reverse proxy filter that normalizes authentication error responses to a single generic message before returning them to clients.
- Require CAPTCHA validation on the login and registration endpoints to disrupt automated enumeration tooling.
- Enable multi-factor authentication (MFA) on all Dify accounts to reduce the impact of successful credential stuffing against enumerated accounts.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

