CVE-2025-11750

Source
https://cve.org/CVERecord?id=CVE-2025-11750
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-11750.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-11750
Published
2025-10-22T13:13:32.493Z
Modified
2026-07-08T08:12:43.207596830Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
User Enumeration via Distinct Error Messages in langgenius/dify-web
Details

In langgenius/dify-web version 1.6.0, the authentication mechanism reveals the existence of user accounts by returning different error messages for non-existent and existing accounts. Specifically, when a login or registration attempt is made with a non-existent username or email, the system responds with a message such as "account not found." Conversely, when the username or email exists but the password is incorrect, a different error message is returned. This discrepancy allows an attacker to enumerate valid user accounts by analyzing the error responses, potentially facilitating targeted social engineering, brute force, or credential stuffing attacks.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/11xxx/CVE-2025-11750.json",
    "cwe_ids": [
        "CWE-544"
    ],
    "cna_assigner": "@huntr_ai"
}
References

Affected packages

Git / github.com/langgenius/dify

Affected ranges

Type
GIT
Repo
https://github.com/langgenius/dify
Events
Database specific
{
    "source": "CPE_STRING",
    "cpe": "cpe:2.3:a:langgenius:dify:1.6.0:*:*:*:*:node.js:*:*",
    "extracted_events": [
        {
            "introduced": "1.6.0"
        },
        {
            "last_affected": "1.6.0"
        }
    ]
}

Affected versions

1.*
1.6.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-11750.json"