CVE-2025-63387
HIGHCVSS v3
7.5
HIGH
EPSS Score
12.5%
exploit probability
CISA KEV
No
known exploited
Exploitation
—
SSVC status
Description
Dify v1.9.1 is vulnerable to Insecure Permissions. An unauthenticated attacker can directly send HTTP GET requests to the /console/api/system-features endpoint without any authentication credentials or session tokens. The endpoint fails to implement proper authorization checks, allowing anonymous access to sensitive system configuration data. NOTE: The maintainer states that the endpoint is unauthenticated by design and serves as a bootstrap mechanism required for the dashboard initialization. They also state that the description inaccurately classifies the returned data as sensitive system configuration, stating that the data is non-sensitive and required for client-side rendering. No PII, credentials, or secrets are exposed.
Technical Details
- Published
- 12/18/2025
Frequently Asked Questions
What is CVE-2025-63387?
Dify v1.9.1 is vulnerable to Insecure Permissions. An unauthenticated attacker can directly send HTTP GET requests to the /console/api/system-features endpoint without any authentication credentials or session tokens. The endpoint fails to implement proper authorization checks, allowing anonymous access to sensitive system configuration data. NOTE: The maintainer states that the endpoint is unauthenticated by design and serves as a bootstrap mechanism required for the dashboard initialization. They also state that the description inaccurately classifies the returned data as sensitive system configuration, stating that the data is non-sensitive and required for client-side rendering. No PII, credentials, or secrets are exposed.
Is CVE-2025-63387 actively exploited?
Active exploitation of CVE-2025-63387 has not been confirmed. The EPSS score is 12.5%, indicating the estimated probability of exploitation in the next 30 days.
What is the CVSS score for CVE-2025-63387?
CVE-2025-63387 has a CVSS v3 base score of 7.5 (HIGH severity).
Is CVE-2025-63387 affecting your environment?
Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.