Login Sign Up

CVE-2025-11750

5.3 MEDIUM

📋 TL;DR

This vulnerability allows attackers to determine whether specific user accounts exist in langgenius/dify-web systems by analyzing authentication error messages. Attackers can use this information to facilitate targeted attacks like credential stuffing or social engineering. All deployments of langgenius/dify-web version 1.6.0 are affected.

💻 Affected Systems

Products:
  • langgenius/dify-web
Versions: 1.6.0
Operating Systems: all
Default Config Vulnerable: ⚠️ Yes
Notes: All deployments with default authentication configuration are vulnerable.

📦 What is this software?

Dify by Langgenius

View all CVEs affecting Dify →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers successfully enumerate all valid user accounts and use this information to conduct targeted credential stuffing attacks, leading to account compromise and potential data breaches.

🟠

Likely Case

Attackers identify valid user accounts and use this information for targeted phishing or social engineering attacks against specific users.

🟢

If Mitigated

With proper controls like rate limiting and consistent error messages, attackers cannot reliably enumerate accounts, reducing the attack surface significantly.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only basic HTTP requests and analysis of error messages.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.6.1 or later

Vendor Advisory: https://huntr.com/bounties/e7359f9f-c004-4304-9de9-753622d370a1

Restart Required: No

Instructions:

1. Update to langgenius/dify-web version 1.6.1 or later. 2. Verify the update was successful. 3. Test authentication error messages to ensure consistent responses.

🔧 Temporary Workarounds

Implement consistent authentication error messages

all

Modify authentication endpoints to return identical error messages for both non-existent accounts and incorrect passwords.

🧯 If You Can't Patch

  • Implement rate limiting on authentication endpoints to prevent automated enumeration
  • Deploy a web application firewall (WAF) with rules to detect and block account enumeration patterns

🔍 How to Verify

Check if Vulnerable:

Attempt authentication with a non-existent username and note the error message. Then attempt with a known valid username but wrong password. If error messages differ, the system is vulnerable.

Check Version:

Check the application version in the admin interface or configuration files.

Verify Fix Applied:

Repeat the verification steps above. Both authentication attempts should return identical generic error messages.

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed authentication attempts with different usernames from same source IP
  • Pattern of authentication failures followed by successful logins

Network Indicators:

  • Unusual volume of authentication requests to login endpoints
  • Requests with sequential or dictionary-based usernames

SIEM Query:

source_ip=* AND (event_type="authentication_failure" OR event_type="login_failed") AND count > 10 within 5 minutes

📊 Metadata

CVE ID: CVE-2025-11750
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-544
EPSS Score: 0.49% exploit probability (64.9th percentile)
Published: October 22, 2025
Last Updated: October 30, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11750, you might also want to check these:

CVE-2024-41768 6.5

This vulnerability in IBM Engineering Lifecycle Optimization - Publishing allows remote attackers to...

Same vulnerability type (CWE-544)
CVE-2024-47971 6.5

This vulnerability involves improper error handling in Solidigm SSD DC product firmware that could a...

Same vulnerability type (CWE-544)