CVE-2025-3467

An XSS vulnerability exists in langgenius/dify versions prior to 1.1.3, specifically affecting Firefox browsers. This vulnerability allows an attacker to obtain the administrator's token by sending a payload in the published chat. When the administrator views the conversation content through the monitoring/log function using Firefox, the XSS vulnerability is triggered, potentially exposing sensitive token information to the attacker.
Configurations

Configuration 1 (hide)

cpe:2.3:a:langgenius:dify:*:*:*:*:*:node.js:*:*

History

10 Jul 2025, 13:34

Type Values Removed Values Added
References () https://github.com/langgenius/dify/commit/72deb3bed0b0d5d98d7cf44b525cc44bb278f6a7 - () https://github.com/langgenius/dify/commit/72deb3bed0b0d5d98d7cf44b525cc44bb278f6a7 - Patch
References () https://huntr.com/bounties/21723441-7b55-425c-abc4-b1331a713591 - () https://huntr.com/bounties/21723441-7b55-425c-abc4-b1331a713591 - Exploit, Third Party Advisory
First Time Langgenius
Langgenius dify
CPE cpe:2.3:a:langgenius:dify:*:*:*:*:*:node.js:*:*
CVSS v2 : unknown
v3 : 8.0
v2 : unknown
v3 : 5.4

08 Jul 2025, 16:18

Type Values Removed Values Added
Summary
  • (es) Existe una vulnerabilidad XSS en versiones de langgenius/dify anteriores a la 1.1.3, que afecta específicamente a los navegadores Firefox. Esta vulnerabilidad permite a un atacante obtener el token del administrador mediante el envío de un payload en el chat publicado. Cuando el administrador visualiza el contenido de la conversación a través de la función de monitorización/registro con Firefox, se activa la vulnerabilidad XSS, lo que podría exponer información confidencial del token al atacante.

07 Jul 2025, 10:15

Type Values Removed Values Added
New CVE

Information

Published : 2025-07-07 10:15

Updated : 2025-07-10 13:34


NVD link : CVE-2025-3467

Mitre link : CVE-2025-3467

CVE.ORG link : CVE-2025-3467


JSON object : View

Products Affected

langgenius

  • dify
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')