Dify Cross-Site Scripting Vulnerability in ECharts Integration

A cross-site scripting (XSS) vulnerability has been identified in Dify, an open-source platform for developing applications with large language models (LLMs). This issue affects versions prior to 1.13.0 and arises in the web application's chat frontend when using ECharts. The vulnerability allows for the execution of JavaScript payloads embedded in user or LLM inputs that are processed by ECharts.

Impact

Exploitation of this vulnerability allows for full execution of arbitrary JavaScript in the context of the user's browser, potentially leading to account or session takeover, data exfiltration from the UI, unauthorized actions via in-app APIs, and, if the payload is saved in chat history, a persistent XSS risk for future viewers.

Reproduction

To reproduce this vulnerability, input a crafted ECharts configuration that includes a JavaScript payload into the chat application. The payload will be executed as JavaScript, demonstrating the cross-site scripting vulnerability.

Remediation

Users can upgrade to Dify version 1.13.0 or later, where this vulnerability has been fixed.