CVE-2025-59422

🗓️ 25 Sep 2025 13:19:11Reported by GitHub_MType

cve🔗 web.nvd.nist.gov👁 7 Views🌐 WEB

CVE-2025-59422: Dify 1.8.1 exposed others' chat messages; fixed in 1.9.0.

Reporter	Title	Published	Views	Family All 8
CNNVD	dify 安全漏洞	25 Sep 202500:00	–	cnnvd
Cvelist	CVE-2025-59422 Dify Has Broken Access Control on Log Message Endpoint Allows Reading of Chats of Others	25 Sep 202513:19	–	cvelist
EUVD	EUVD-2025-31091	3 Oct 202520:07	–	euvd
NVD	CVE-2025-59422	25 Sep 202514:15	–	nvd
OSV	CVE-2025-59422 Dify Has Broken Access Control on Log Message Endpoint Allows Reading of Chats of Others	25 Sep 202513:19	–	osv
Positive Technologies	PT-2025-39373	25 Sep 202500:00	–	ptsecurity
RedhatCVE	CVE-2025-59422	26 Sep 202513:47	–	redhatcve
Vulnrichment	CVE-2025-59422 Dify Has Broken Access Control on Log Message Endpoint Allows Reading of Chats of Others	25 Sep 202513:19	–	vulnrichment

NVD

Vulners

Node

langgenius difyMatch1.8.1node.js

[
  {
    "vendor": "langgenius",
    "product": "dify",
    "versions": [
      {
        "version": "= 1.8.1",
        "status": "affected"
      }
    ]
  }
]

Source	Link
github	www.github.com/langgenius/dify/commit/b2d8a7eaf1693841411934e2056042845ab4f354
github	www.github.com/langgenius/dify/security/advisories/GHSA-jg5j-c9pq-w894

Parameter	Position	Path	Description	CWE
conversation_id	query param	console/api/apps/<APP_ID>chat-messages?conversation_id=<CONVERSATION_ID>&limit=10	Broken access control allows users in the same workspace to read chat messages of other users via the chat-messages endpoint.	CWE-284
limit	query param	console/api/apps/<APP_ID>chat-messages?conversation_id=<CONVERSATION_ID>&limit=10	Broken access control allows users in the same workspace to read chat messages of other users via the chat-messages endpoint.	CWE-284

14 Oct 2025 14:10Current

6.3Medium risk

Vulners AI Score6.3

CVSS 3.13.1

CVSS 46

EPSS0.00032

SSVC

CWE-284