← Back

CVE-2025-65107

nvd nist
Published: Nov 21, 2025Modified: Dec 3, 2025

JSON object

Loading...
6.5
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Exploitability: 2.8 / Impact: 3.6
Source: security-advisories@github.com (Secondary)

Description

Langfuse is an open source large language model engineering platform. In versions from 2.95.0 to before 2.95.12 and from 3.17.0 to before 3.131.0, in SSO provider configurations without an explicit AUTH_<PROVIDER>_CHECK setting, a potential account takeover may happen if an authenticated user is made to call a specifically crafted URL via a CSRF or phishing attack. This issue has been patched in versions 2.95.12 and 3.131.0. A workaround for this issue involves setting AUTH_<PROVIDER>_CHECK.

Affected (2)

Products: Langfuse: Langfuse
Langfuse
1 product
Langfuse
Configuration A
2 vulnerable
Vulnerable SoftwareAffected Versions
Langfuse
Langfuse
From 2.95.0 to 2.95.12
Langfuse
From 3.17.0 to 3.131.0

Related CWEs

CWE-285
Improper Authorization
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-352
Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (1)

Source: security-advisories@github.com
MitigationVendor Advisory

Timeline

No history available yet.