Dify MCP OAuth Component Cross-Site Scripting Vulnerability

A cross-site scripting vulnerability has been identified in the Dify application development platform, specifically in versions through 1.9.1. The issue arises in the OAuth flow implementation of the MCP component, where the authorization URL from a remote MCP server is directly passed to a new window without proper validation or sanitization. This flaw allows an attacker to execute arbitrary JavaScript in the context of the Dify application by crafting a malicious MCP server that returns a JavaScript URI in the authorization URL field.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can execute malicious JavaScript in the user's browser, potentially leading to session hijacking or other malicious actions within the application.

Reproduction

To reproduce this vulnerability, connect to an attacker-controlled remote MCP server using Dify version 1.9.1 or earlier. The server must be set up to return a JavaScript URI in the authorization URL field. Once connected, the malicious JavaScript will be executed in the context of the Dify application.

Remediation

Users can update to Dify version 1.8.0 or later, where this vulnerability has been patched.