Dify - Improper Access Control (CVE-2025-63387)

CVE-2025-63387 is a vulnerability in Dify v1.9.1 that allows unauthenticated attackers to access sensitive system configuration data by exploiting insecure permissions on the /console/api/system-features endpoint. This flaw could be leveraged for reconnaissance or information disclosure attacks, potentially aiding further exploitation of the system.

CrowdSec has been tracking this vulnerability and its exploits since 7th of January 2026.

Data from the CrowdSec community indicates that exploitation of CVE-2025-63387 is highly selective and intelligence-driven. Threat actors use advanced reconnaissance and carefully choose their targets, often as part of sophisticated campaigns or advanced persistent threat operations. CrowdSec data also reveals a clear uptick in attacks involving CVE-2025-63387 over the past week. Activity is above the usual baseline, suggesting growing attention from attackers. This may reflect rising awareness, recent exploit releases, or expanded targeting efforts.

Attackers exploit this vulnerability by sending unauthenticated requests to the /console/api/system-features endpoint, allowing them to access sensitive system configuration data without proper authorization checks.

Exploitation

Get real-time information about exploitation attempts and actors involved.

Detected IPs

Discover the IPs that targeted this vulnerability across the CrowdSec Network.

・

Protection

Find out relevant information to protect your stack against this CVE.

Blocklist

With our advanced worldwide network detection, CrowdSec can provide a list of IPs known for exploiting the vulnerability.

To increase your protection against this CVE, block exploitation attempts with this list of identified actors.

Dify - Improper Access Control (CVE-2025-63387)

Exploitation

Detected IPs

Protection

Blocklist

References