Home > Vulnerability Database > CVE-2025-63387

Mend.io Vulnerability Database

CVE-2025-63387

Good to know:

Date: December 18, 2025

Dify v1.9.1 is vulnerable to Insecure Permissions. An unauthenticated attacker can directly send HTTP GET requests to the /console/api/system-features endpoint without any authentication credentials or session tokens. The endpoint fails to implement proper authorization checks, allowing anonymous access to sensitive system configuration data.

Severity Score

7.5

Related Resources (4)

Url: https://gist.github.com/Cristliu/cddc0cbbf354de51106ab63a11be94af

Url: https://github.com/langgenius/dify/discussions

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-63387

Url: https://www.mend.io/vulnerability-database/CVE-2025-63387

Severity Score

7.5

Weakness Type (CWE)

Improper Access Control

CWE-284

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-63387

Good to know:

Date: December 18, 2025

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?