CVE-2025-43854: DIFY vulnerable to Clickjacking Attack

2.3 CVSS

Description

DIFY is an open-source LLM app development platform. Prior to version 1.3.0, a clickjacking vulnerability was found in the default setup of the DIFY application, allowing malicious actors to trick users into clicking on elements of the web page without their knowledge or consent. This can lead to unauthorized actions being performed, potentially compromising the security and privacy of users. This issue has been fixed in version 1.3.0.

Classification

CVE ID: CVE-2025-43854

CVSS Base Severity: LOW

CVSS Base Score: 2.3

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Problem Types

CWE-1021: Improper Restriction of Rendered UI Layers or Frames

Affected Products

Vendor: langgenius

Product: dify

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 6.34% (scored less or equal to compared to others)

EPSS Date: 2025-05-27 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-43854
https://github.com/langgenius/dify/security/advisories/GHSA-jhgq-cx3f-vj5p
https://github.com/langgenius/dify/pull/18516

Timeline

2025-04-28 16:40:11 UTC
CVE

DIFY vulnerable to Clickjacking Attack