CVE-2025-63386 - CORS Misconfiguration in Dify Setup Endpoint Key Information: CVE ID: CVE-2025-63386 Date: 2025-12-18 Vendor: LangGenius (Dify) Product: Dify Affected Versions: v1.9.1 Vulnerability Type: Insecure Permissions / CORS Misconfiguration Severity: Medium (Information Disclosure) Summary: A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the endpoint. The endpoint implements an insecure CORS policy that reflects any Origin header and enables credentials, permitting arbitrary external domains to make authenticated requests. Impact: Information Disclosure: Attackers can retrieve sensitive installation and setup information via Cross-Origin requests. References: Vendor Repository: https://github.com/langgenius/dify Discussions: https://github.com/langgenius/dify/discussions Credits: Discovered by Zhihuang Liu (herecristliu@gmail.com).