CVE-2025-63387 – CVE-2025-63387 is an insecure permissions vulne... (How to Fix)

📋 TL;DR

CVE-2025-63387 is an insecure permissions vulnerability in Dify v1.9.1 that allows unauthenticated attackers to access the /console/api/system-features endpoint without credentials. This exposes system configuration data, though the maintainer disputes its sensitivity. All Dify v1.9.1 deployments with default configurations are affected.

💻 Affected Systems

Products:

Dify

Versions: v1.9.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: The maintainer states this endpoint is intentionally unauthenticated for dashboard initialization and returns non-sensitive data.

📦 What is this software?

Dify by Langgenius

View all CVEs affecting Dify →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could map system architecture, identify other vulnerabilities, or use exposed data for targeted attacks against the Dify deployment.

🟠

Likely Case

Information disclosure of system configuration details that could aid reconnaissance for further attacks.

🟢

If Mitigated

Limited impact if data is truly non-sensitive as maintainer claims, but still violates principle of least privilege.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP GET request to endpoint with no authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in pull request #31392

Vendor Advisory: https://github.com/langgenius/dify/issues/31368#issuecomment-3783712203

Restart Required: Yes

Instructions:

1. Update Dify to version containing fix from PR #31392
2. Restart Dify services
3. Verify endpoint now requires authentication

🔧 Temporary Workarounds

Web Application Firewall Rule

all

Block unauthenticated access to /console/api/system-features endpoint

WAF-specific configuration to block GET /console/api/system-features from unauthenticated sources

Reverse Proxy Authentication

linux

Add authentication layer before the endpoint using nginx or similar

nginx location block configuration with auth_basic directives

🧯 If You Can't Patch

Implement network segmentation to restrict access to Dify console endpoints
Deploy web application firewall with rules blocking unauthenticated access to sensitive endpoints

🔍 How to Verify

Check if Vulnerable:

Send HTTP GET request to http://[dify-host]/console/api/system-features without authentication. If it returns 200 OK with data, system is vulnerable.

Check Version:

Check Dify version in web interface or via package manager

Verify Fix Applied:

Send same request after patch. Should return 401 Unauthorized or redirect to login.

📡 Detection & Monitoring

Log Indicators:

Multiple GET requests to /console/api/system-features from unauthenticated IPs
401 errors after patch applied

Network Indicators:

Unusual traffic patterns to system-features endpoint
GET requests without authentication headers

SIEM Query:

sourceIP=* AND destinationPort=443 AND urlPath="/console/api/system-features" AND NOT userAgent="browser-agent"

📊 Metadata

CVE ID: CVE-2025-63387

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-284

EPSS Score: 15.48% exploit probability (94.5th percentile)

Published: December 18, 2025

Last Updated: January 22, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-63387, you might also want to check these: