CVE-2025-65107

Medium CVSS: 6.5

Langfuse is an open source large language model engineering platform. In versions from 2.95.0 to before 2.95.12 and from 3.17.0 to before 3.131.0, in SSO provider configurations without an explicit AUTH_<PROVIDER>_CHECK setting, a potential account takeover may happen if an authenticated user is made to call a specifically crafted URL via a CSRF or phishing attack. This issue has been patched in versions 2.95.12 and 3.131.0. A workaround for this issue involves setting AUTH_<PROVIDER>_CHECK.

Vendor

Langfuse

Product

Langfuse

CWE

CWE-285

Yayın Tarihi

2025-11-21 22:16:33

Güncelleme

2025-12-03 15:24:37

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-285 Langfuse MEDIUM Langfuse 2025

Referanslar

https://github.com/langfuse/langfuse/security/advisories/GHSA-w9pw-c549-5m6w

Benzer Kayıtlar

Medium

CVE-2026-24055

Langfuse is an open source large language model engineering platform. In versions 3.146.0 and below, the /api/public/sla…

Medium

CVE-2025-64504

Langfuse is an open source large language model engineering platform. Starting in version 2.70.0 and prior to versions 2…

High

CVE-2025-59305

Improper authorization in the background migration endpoints of Langfuse 3.1 before d67b317 allows any authenticated use…

Low

CVE-2025-9799

A security flaw has been discovered in Langfuse up to 3.88.0. Affected by this vulnerability is the function promptChang…