CVE-2025-63387 Overview
CVE-2025-63387 is an Insecure Permissions vulnerability affecting Dify v1.9.1, an open-source LLM application development platform developed by LangGenius. The vulnerability allows unauthenticated attackers to directly send HTTP GET requests to the /console/api/system-features endpoint without any authentication credentials or session tokens. The endpoint fails to implement proper authorization checks, allowing anonymous access to system configuration data.
It is important to note that the maintainer disputes the severity classification, stating that the endpoint is intentionally unauthenticated by design and serves as a bootstrap mechanism required for dashboard initialization. According to the maintainer, the returned data is non-sensitive and required for client-side rendering, with no PII, credentials, or secrets exposed.
Critical Impact
Unauthenticated access to system configuration endpoint may expose feature flags, system settings, and deployment information that could aid attackers in reconnaissance activities.
Affected Products
- LangGenius Dify v1.9.1
- Dify Node.js deployments
Discovery Timeline
- 2025-12-18 - CVE-2025-63387 published to NVD
- 2026-01-22 - Last updated in NVD database
Technical Details for CVE-2025-63387
Vulnerability Analysis
This vulnerability falls under CWE-284 (Improper Access Control), where the application fails to properly restrict access to a sensitive resource. The /console/api/system-features endpoint in Dify v1.9.1 does not implement authentication or authorization checks, allowing any network-accessible client to retrieve system feature configuration data.
The attack requires no user interaction and can be executed remotely over the network with low complexity. While the maintainer argues this is intended behavior for bootstrapping the client dashboard, security researchers have raised concerns about the information exposure implications, particularly in environments where Dify instances are exposed to untrusted networks.
Root Cause
The root cause is a design decision where the /console/api/system-features endpoint was intentionally left unauthenticated to facilitate client-side dashboard initialization. The endpoint does not validate session tokens, API keys, or any other form of authentication before returning system configuration data. While the maintainer considers this data non-sensitive, the lack of access controls creates a potential information disclosure vector.
Attack Vector
The attack vector is network-based and requires no privileges or user interaction. An attacker can exploit this vulnerability by performing the following steps:
- Identify a Dify instance accessible over the network
- Send an HTTP GET request to /console/api/system-features
- Receive system feature configuration data in the response without any authentication challenge
The vulnerability is trivially exploitable as it requires only a simple HTTP request. Technical details and proof-of-concept demonstrations are available through the GitHub Gist references.
Detection Methods for CVE-2025-63387
Indicators of Compromise
- Unusual volume of HTTP GET requests to /console/api/system-features from external IP addresses
- Access to the system-features endpoint from IP addresses not associated with legitimate users
- Sequential or automated requests to the endpoint indicative of scanning or enumeration activity
- Web server logs showing unauthenticated access patterns to console API endpoints
Detection Strategies
- Implement web application firewall (WAF) rules to monitor and alert on unauthenticated access to /console/api/system-features
- Configure SIEM alerts for anomalous request patterns targeting Dify console API endpoints
- Review access logs for the endpoint and correlate with known legitimate user sessions
- Deploy network intrusion detection signatures for reconnaissance activity against Dify instances
Monitoring Recommendations
- Enable detailed access logging for all Dify console API endpoints
- Monitor for scanning activity targeting multiple Dify API endpoints in sequence
- Implement rate limiting on the /console/api/system-features endpoint to reduce automated enumeration risks
- Set up alerts for access attempts from geographic regions or IP ranges outside normal operational scope
How to Mitigate CVE-2025-63387
Immediate Actions Required
- Review network exposure of Dify instances and restrict access to trusted networks only
- Implement network-level access controls (firewall rules, security groups) to limit who can reach the Dify console
- Consider deploying a reverse proxy with authentication in front of Dify console endpoints
- Audit current logs for evidence of exploitation or reconnaissance against the affected endpoint
Patch Information
The Dify maintainers have addressed this issue through community discussion. Related pull requests have been submitted to the project:
The maintainer's position, documented in the GitHub Issue Comment, indicates this is intended behavior. Organizations concerned about this exposure should implement additional access controls at the network or proxy level.
Workarounds
- Deploy Dify behind a reverse proxy that requires authentication before allowing access to console endpoints
- Use network segmentation to ensure Dify instances are not directly accessible from untrusted networks
- Implement IP allowlisting at the firewall or load balancer level to restrict access to known legitimate sources
- Consider using a VPN or zero-trust network access solution for accessing Dify management interfaces
# Example nginx reverse proxy configuration with basic auth
location /console/api/ {
auth_basic "Restricted Access";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://dify-backend:5001;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
