CVE-2025-43854
Published: 28 April 2025
Summary
CVE-2025-43854 is a low-severity Improper Restriction of Rendered UI Layers or Frames (CWE-1021) vulnerability in Langgenius Dify. Its CVSS base score is 2.3 (Low).
Operationally, ranked at the 45.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as LLM Application Platforms; in the Privacy and Disclosure risk domain.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-12580
Vulnerability details
DIFY is an open-source LLM app development platform. Prior to version 1.3.0, a clickjacking vulnerability was found in the default setup of the DIFY application, allowing malicious actors to trick users into clicking on elements of the web page without…
more
their knowledge or consent. This can lead to unauthorized actions being performed, potentially compromising the security and privacy of users. This issue has been fixed in version 1.3.0.
- CWE(s)
AI Security AnalysisAI
- AI Category
- LLM Application Platforms
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: dify, llm
Related Threats
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.