Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-3467

An XSS vulnerability exists in langgenius/dify versions prior to 1.1.3, specifically affecting Firefox browsers. This vulnerability allows an attacker to obtain the administrator's token by sending a payload in the published chat. When the administrator views the conversation content through the monitoring/log function using Firefox, the XSS vulnerability is triggered, potentially exposing sensitive token information to the attacker.

Published

2025-07-07T10:15:27.793

Last Modified

2025-07-10T13:34:32.803

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 5.4 (MEDIUM)

Weaknesses

Type: Primary
CWE-79

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	langgenius	dify	< 1.1.3	Yes

References

https://github.com/langgenius/dify/commit/72deb3bed0b0d5d98d7cf44b525cc44bb278f6a7 Patch ([email protected])
https://huntr.com/bounties/21723441-7b55-425c-abc4-b1331a713591 Exploit, Third Party Advisory ([email protected])