CVE-2025-43854

low-risk
Published 2025-04-28

DIFY is an open-source LLM app development platform. Prior to version 1.3.0, a clickjacking vulnerability was found in the default setup of the DIFY application, allowing malicious actors to trick users into clicking on elements of the web page without their knowledge or consent. This can lead to unauthorized actions being performed, potentially compromising the security and privacy of users. This issue has been fixed in version 1.3.0.

Do I need to act?

-
0.17% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.1/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Langgenius

References (3)

Issue Tracking https://github.com/langgenius/dify/pull/18516
Vendor Advisory https://github.com/langgenius/dify/security/advisories/GHSA-jhgq-cx3f-vj5p
Vendor Advisory https://github.com/langgenius/dify/security/advisories/GHSA-jhgq-cx3f-vj5p
29
/ 100
low-risk
Severity 23/34 · High
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal