Cyber Resilience

CVE-2025-11750

MediumPublic PoC

Published: 22 October 2025

Published
22 October 2025
Modified
30 October 2025
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0053 67.5th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-11750 is a medium-severity Missing Standardized Error Handling Mechanism (CWE-544) vulnerability in Langgenius Dify. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Account Discovery (T1087); ranked in the top 32.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Privacy and Disclosure risk domain.

EU & UK References

Vulnerability details

In langgenius/dify-web version 1.6.0, the authentication mechanism reveals the existence of user accounts by returning different error messages for non-existent and existing accounts. Specifically, when a login or registration attempt is made with a non-existent username or email, the system…

more

responds with a message such as "account not found." Conversely, when the username or email exists but the password is incorrect, a different error message is returned. This discrepancy allows an attacker to enumerate valid user accounts by analyzing the error responses, potentially facilitating targeted social engineering, brute force, or credential stuffing attacks.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: dify

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1087 Account Discovery Discovery
Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment.
T1110 Brute Force Credential Access
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.
T1110.003 Password Spraying Credential Access
Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials.
T1110.004 Credential Stuffing Credential Access
Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap.
Why these techniques?

The vulnerability enables account enumeration via distinct error messages (T1087), facilitating brute force attacks (T1110), including password spraying (T1110.003) and credential stuffing (T1110.004).

Affected Assets

langgenius
dify
1.6.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References