CVE-2025-63387
HIGHCVSS v3
7.5
HIGH
EPSS Score
12.9%
exploit probability
CISA KEV
No
known exploited
Exploitation
—
SSVC status
Description
Dify v1.9.1 is vulnerable to Insecure Permissions. An unauthenticated attacker can directly send HTTP GET requests to the /console/api/system-features endpoint without any authentication credentials or session tokens. The endpoint fails to implement proper authorization checks, allowing anonymous access to sensitive system configuration data. NOTE: The maintainer states that the endpoint is unauthenticated by design and serves as a bootstrap mechanism required for the dashboard initialization. T
Technical Details
- CVSS v3 Vector
- 3.1
- Published
- 12/18/2025
- Last Modified
- 1/22/2026
Frequently Asked Questions
What is CVE-2025-63387?
Dify v1.9.1 is vulnerable to Insecure Permissions. An unauthenticated attacker can directly send HTTP GET requests to the /console/api/system-features endpoint without any authentication credentials or session tokens. The endpoint fails to implement proper authorization checks, allowing anonymous access to sensitive system configuration data. NOTE: The maintainer states that the endpoint is unauthenticated by design and serves as a bootstrap mechanism required for the dashboard initialization. T
Is CVE-2025-63387 actively exploited?
Active exploitation of CVE-2025-63387 has not been confirmed. The EPSS score is 12.9%, indicating the estimated probability of exploitation in the next 30 days.
What is the CVSS score for CVE-2025-63387?
CVE-2025-63387 has a CVSS v3 base score of 7.5 (HIGH severity), with vector string 3.1.
Is CVE-2025-63387 affecting your environment?
Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.