CVE-2025-67732
📋 TL;DR
Dify versions before 1.11.0 expose API keys in plaintext to frontend users, allowing non-administrators to view and potentially misuse them. This vulnerability enables unauthorized access to third-party services integrated with Dify, potentially consuming API quotas or accessing sensitive data. All Dify deployments using affected versions are impacted.
💻 Affected Systems
- Dify
📦 What is this software?
Dify by Dify
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full access to integrated third-party services, consume all API quotas, access sensitive data, and potentially pivot to other systems using stolen credentials.
Likely Case
Non-admin users discover and reuse API keys for unauthorized access to integrated services, leading to quota consumption and potential data exposure.
If Mitigated
Limited impact if API keys have minimal permissions and quotas are monitored, but credential exposure remains a security concern.
🎯 Exploit Status
Exploitation requires authenticated access as a non-admin user. The vulnerability is simple to exploit once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.11.0
Vendor Advisory: https://github.com/langgenius/dify/security/advisories/GHSA-phpv-94hg-fv9g
Restart Required: Yes
Instructions:
1. Backup your Dify instance and database. 2. Update to version 1.11.0 or later using your deployment method (Docker, Kubernetes, or direct installation). 3. Restart the Dify services. 4. Verify the fix by checking that API keys are no longer exposed to non-admin users.
🔧 Temporary Workarounds
Restrict User Access
allLimit non-admin user accounts and review existing user permissions to minimize exposure.
Rotate API Keys
allImmediately rotate all exposed API keys for integrated third-party services.
🧯 If You Can't Patch
- Implement strict network segmentation to limit what systems can be accessed with exposed API keys
- Enable detailed logging and monitoring for API key usage across all integrated services
🔍 How to Verify
Check if Vulnerable:
Log in as a non-admin user and check if API keys are visible in the frontend interface or network responses.Check Version:
Check the Dify version in the admin panel or run: docker exec dify-api python -c "import dify; print(dify.__version__)"Verify Fix Applied:
After updating to 1.11.0+, verify that non-admin users cannot view API keys in the interface or network traffic.📡 Detection & Monitoring
Log Indicators:
- Unusual API key usage patterns
- API calls from unexpected user accounts or IP addresses
Network Indicators:
- API requests using keys that should not be exposed
- Traffic to third-party services from unauthorized sources
SIEM Query:
source="dify_logs" AND (event="api_key_access" OR event="unauthorized_api_call")