IMPORTANT SECURITY NOTICE
⚠️ For users who upgraded to version 1.10.1-fix.1, please ensure you are now running langgenius/dify-web:1.11.1 and related services on the latest release.
This update is strongly recommended to fully mitigate multiple security vulnerabilities affecting React Server Components.
Background
React has disclosed multiple critical vulnerabilities affecting React Server Components, including but not limited to:
A critical vulnerability in React Server Components that may allow unexpected server-side behavior and potential data exposure under specific rendering conditions.
Another React Server Components–related vulnerability that could lead to improper isolation between server-rendered components, increasing the risk of cross-boundary data leakage.
A security issue affecting the React rendering pipeline that may result in unintended execution paths or unsafe state reuse in server environments.
These vulnerabilities primarily affect self-hosted deployments that bundle vulnerable React versions.
Affected Scope
- ✅ Dify SaaS: Not affected
- ⚠️ Self-hosted Dify: Affected if running outdated images
All React dependencies have been upgraded to patched versions in the latest release.
Required Action ✅
Self-hosted users must upgrade immediately to:
👉 Release v1.11.1
https://github.com/langgenius/dify/releases/tag/1.11.1
Please also verify that your docker-compose.yml (or equivalent) references the correct images, for example:
image: langgenius/dify-web:1.11.1
References
For security issues, please use GitHub Security Advisories:
https://github.com/langgenius/dify/security/advisories/new
⚠️ We have already received many reports.
Please do not submit duplicate issues for these CVEs.
Duplicate Issues (Closed)
IMPORTANT SECURITY NOTICE
version 1.10.1-fix.1, please ensure you are now runninglanggenius/dify-web:1.11.1and related services on the latest release.This update is strongly recommended to fully mitigate multiple security vulnerabilities affecting React Server Components.
Background
React has disclosed multiple critical vulnerabilities affecting React Server Components, including but not limited to:
🔴 CVE-2025-55182
A critical vulnerability in React Server Components that may allow unexpected server-side behavior and potential data exposure under specific rendering conditions.
🔴 CVE-2025-55184
Another React Server Components–related vulnerability that could lead to improper isolation between server-rendered components, increasing the risk of cross-boundary data leakage.
🔴 CVE-2025-67779
A security issue affecting the React rendering pipeline that may result in unintended execution paths or unsafe state reuse in server environments.
Affected Scope
All React dependencies have been upgraded to patched versions in the latest release.
Required Action ✅
Self-hosted users must upgrade immediately to:
👉 Release v1.11.1
https://github.com/langgenius/dify/releases/tag/1.11.1
Please also verify that your
docker-compose.yml(or equivalent) references the correct images, for example:References
🔐 Security Policy
https://github.com/langgenius/dify?tab=readme-ov-file#security-disclosure
🛡️ GitHub Advisory Database
Please do not submit duplicate issues for these CVEs.
Duplicate Issues (Closed)