CVE-2025-49149
Last modified
CVE-2025-49149 is a medium-severity vulnerability rated 5.3/10 on the CVSS scale. Dify is an open-source LLM app development platform. In version 1.2.0, there is insufficient filtering of user input by web applications. EPSS estimates a 0.23% chance of exploitation in the next 30 days.
Description
Dify is an open-source LLM app development platform. In version 1.2.0, there is insufficient filtering of user input by web applications. Attackers can use website vulnerabilities to inject malicious script code into web pages. This may result in a cross-site scripting (XSS) attack when a user browses these web pages. At time of posting, there is no known patched version.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Langgenius | Dify | 1.2.0 |
References
- https://github.com/langgenius/dify/security/advisories/GHSA-grmh-ww4v-5cgjExploit, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2025-49149?
How severe is CVE-2025-49149?
How do I fix CVE-2025-49149?
Are you affected by CVE-2025-49149?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST