Home > Vulnerability Database > CVE-2025-43854

Mend.io Vulnerability Database

CVE-2025-43854

Good to know:

Date: April 28, 2025

DIFY is an open-source LLM app development platform. Prior to version 1.3.0, a clickjacking vulnerability was found in the default setup of the DIFY application, allowing malicious actors to trick users into clicking on elements of the web page without their knowledge or consent. This can lead to unauthorized actions being performed, potentially compromising the security and privacy of users. This issue has been fixed in version 1.3.0.

Severity Score

6.1

Related Resources (4)

Url: https://github.com/langgenius/dify/pull/18516

Url: https://github.com/langgenius/dify/security/advisories/GHSA-jhgq-cx3f-vj5p

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-43854

Url: https://www.mend.io/vulnerability-database/CVE-2025-43854

Severity Score

6.1

Weakness Type (CWE)

Improper Restriction of Rendered UI Layers or Frames

CWE-1021

Top Fix

Upgrade Version

Upgrade to version https://github.com/langgenius/dify.git - 1.3.0

Learn More

CVSS v3.1

Base Score:	6.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-43854

Good to know:

Date: April 28, 2025

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?