← back
CVE-2025-43854

DIFY vulnerable to Clickjacking Attack

CVSS 2.3 LOWEPSS 0.2%CWE-1021
Vexday Risk Score
8Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 2.3EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
28 Apr 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
DIFY is an open-source LLM app development platform. Prior to version 1.3.0, a clickjacking vulnerability was found in the default setup of the DIFY application, allowing malicious actors to trick users into clicking on elements of the web page without their knowledge or consent. This can lead to unauthorized actions being performed, potentially compromising the security and privacy of users. This issue has been fixed in version 1.3.0.
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Affected products
langgenius · dify

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/langgenius/dify/pull/18516https://github.com/langgenius/dify/security/advisories/GHSA-jhgq-cx3f-vj5p