CVE-2025-43854

LOW EPSS 9.9%
Published Apr 28, 20251y ago · Modified Jun 17, 20261w ago
2.3 CVSS 4.0
Low
Find Similar
Published Apr 28, 2025 1y ago
Last Modified Jun 17, 2026 1w ago

Description

DIFY is an open-source LLM app development platform. Prior to version 1.3.0, a clickjacking vulnerability was found in the default setup of the DIFY application, allowing malicious actors to trick users into clicking on elements of the web page without their knowledge or consent. This can lead to unauthorized actions being performed, potentially compromising the security and privacy of users. This issue has been fixed in version 1.3.0.

CVSS Details

Base Score
2.3
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction P
Scope X

Threat Intelligence

EPSS Exploit Probability
9.9% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-1021

Affected Products 1

VendorProductVersionRange
langgeniusdify* ≤0.6.8

References 2

  • github.com https://github.com/langgenius/dify/pull/18516
    Issue TrackingPatch
  • github.com https://github.com/langgenius/dify/security/advisories/GHSA-jhgq-cx3f-vj5p
    Vendor Advisory

Remediation

  • github.com https://github.com/langgenius/dify/pull/18516
    Issue TrackingPatch