CVE-2025-43854 LOW

CVE-2025-43854: DIFY vulnerable to Clickjacking Attack

Vendor Langgenius
Product dify
Weakness CWE-1021
Published April 28, 2025
Last update April 28, 2025

CVSS base score

2.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

DIFY is an open-source LLM app development platform. Prior to version 1.3.0, a clickjacking vulnerability was found in the default setup of the DIFY application, allowing malicious actors to trick users into clicking on elements of the web page without their knowledge or consent. This can lead to unauthorized actions being performed, potentially compromising the security and privacy of users. This issue has been fixed in version 1.3.0.

Key dates

02Disclosure timeline

April 28, 2025 CVE published
April 28, 2025 Record updated