CVE-2025-32790 MEDIUM

CVE-2025-32790: Dify Allows Insecure User Role Access Control for APP DSL Exporting

Vendor Langgenius

Product dify

Weakness CWE-284

Published April 18, 2025

Last update April 18, 2025

View on NVD All CVEs

CVSS base score

6.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

Dify is an open-source LLM app development platform. In versions 0.6.8 and prior, a vulnerability was identified in the DIFY AI where normal users are improperly granted permissions to export APP DSL. The feature in '/export' should only allow administrator users to export DSL. A workaround for this vulnerability involves updating the access control mechanisms to enforce stricter user role permissions and implementing role-based access controls (RBAC) to ensure that only users with admin privileges can export the APP DSL. This vulnerability is fixed in 0.6.13.

Key dates

02Disclosure timeline

April 18, 2025 CVE published

April 18, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-32790 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/284.html

Related vulnerabilities

CVE-2025-32790: Dify Allows Insecure User Role Access Control for APP DSL Exporting

01Description

02Disclosure timeline

03References

04Related CVE