关键信息总结 CVE ID: CVE-2025-63388 Date: 2025-12-18 Vendor: LangGenius (Dify) Product: Dify Affected Versions: v1.9.1 Vulnerability Type: Insecure Permissions / CORS Misconfiguration Severity: Medium (Information Disclosure) Summary: A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the endpoint. This endpoint has an overly permissive CORS policy that allows arbitrary Origin headers and sets . Impact: Information Disclosure: Attackers can retrieve sensitive system configuration information via malicious cross-origin requests. References: Vendor Repository Discussions Credits: Discovered by Zhihuang Liu ()