CVE-2025-63387

HIGH

CVSS v3

7.5

HIGH

EPSS Score

12.5%

exploit probability

CISA KEV

No

known exploited

Exploitation

SSVC status

Description

Dify v1.9.1 is vulnerable to Insecure Permissions. An unauthenticated attacker can directly send HTTP GET requests to the /console/api/system-features endpoint without any authentication credentials or session tokens. The endpoint fails to implement proper authorization checks, allowing anonymous access to sensitive system configuration data. NOTE: The maintainer states that the endpoint is unauthenticated by design and serves as a bootstrap mechanism required for the dashboard initialization. They also state that the description inaccurately classifies the returned data as sensitive system configuration, stating that the data is non-sensitive and required for client-side rendering. No PII, credentials, or secrets are exposed.

Technical Details

Published
12/18/2025

Frequently Asked Questions

What is CVE-2025-63387?

Dify v1.9.1 is vulnerable to Insecure Permissions. An unauthenticated attacker can directly send HTTP GET requests to the /console/api/system-features endpoint without any authentication credentials or session tokens. The endpoint fails to implement proper authorization checks, allowing anonymous access to sensitive system configuration data. NOTE: The maintainer states that the endpoint is unauthenticated by design and serves as a bootstrap mechanism required for the dashboard initialization. They also state that the description inaccurately classifies the returned data as sensitive system configuration, stating that the data is non-sensitive and required for client-side rendering. No PII, credentials, or secrets are exposed.

Is CVE-2025-63387 actively exploited?

Active exploitation of CVE-2025-63387 has not been confirmed. The EPSS score is 12.5%, indicating the estimated probability of exploitation in the next 30 days.

What is the CVSS score for CVE-2025-63387?

CVE-2025-63387 has a CVSS v3 base score of 7.5 (HIGH severity).

Is CVE-2025-63387 affecting your environment?

Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.