Skip to content

Dify MCP OAuth Flow Vulnerable to XSS

High
crazywoola published GHSA-9jch-j9qf-vqfw Oct 17, 2025

Package

dify

Affected versions

<=1.8.0

Patched versions

1.8.0

Description

Dify MCP OAuth Flow Vulnerable to XSS

Summary

Dify MCP OAuth component is vulnerable to XSS(Cross Site Scripting) when victim connects to an attacker controlled remote MCP server.

image

Vulnerable Snippet

# https://github.com/langgenius/dify/blob/main/web/app/components/tools/mcp/detail/content.tsx#L112
    else if (res.authorization_url)
      openOAuthPopup(res.authorization_url, handleOAuthCallback)
  }, [onFirstCreate, isCurrentWorkspaceManager, detail, authorizeMcp, handleUpdateTools, handleOAuthCallback])

# https://github.com/langgenius/dify/blob/7c340695d60c4d7fa829fde65162e371b8bf45e8/web/hooks/use-oauth.ts#L15
export const openOAuthPopup = (url: string, callback: () => void) => {
  const width = 600
  const height = 600
  const left = window.screenX + (window.outerWidth - width) / 2
  const top = window.screenY + (window.outerHeight - height) / 2

  const popup = window.open(
    url,
    'OAuth',
    `width=${width},height=${height},left=${left},top=${top},scrollbars=yes`,
  )
  ...

Proof of Concept

  • Deploy malicous remote MCP server: mcp-dify-xss.py
  • Connect to the MCP server

dify-xss

NOTE!! The demonstration uses locally deployed MCP server, but, in production, this is not the case!!! The malicous MCP server typically deployed on the remote end. Plus remote MCP server typically secure enough to trust, as it does not share the same OS with the client side. However, this vulnerability speaks for itself.

Severity

High

CVE ID

CVE-2025-58747

Weaknesses

No CWEs

Credits