CVE-2025-65107

Langfuse is an open source large language model engineering platform. In versions from 2.95.0 to before 2.95.12 and from 3.17.0 to before 3.131.0, in SSO provider configurations without an explicit AUTH_<PROVIDER>_CHECK setting, a potential account takeover may happen if an authenticated user is made to call a specifically crafted URL via a CSRF or phishing attack. This issue has been patched in versions 2.95.12 and 3.131.0. A workaround for this issue involves setting AUTH_<PROVIDER>_CHECK.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/langfuse/langfuse/security/advisories/GHSA-w9pw-c549-5m6w	Vendor Advisory Mitigation

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:langfuse:langfuse::::::::
	cpe:2.3:a:langfuse:langfuse::::::::

History

03 Dec 2025, 15:24

Type	Values Removed	Values Added
References	~~() https://github.com/langfuse/langfuse/security/advisories/GHSA-w9pw-c549-5m6w -~~	() https://github.com/langfuse/langfuse/security/advisories/GHSA-w9pw-c549-5m6w - Vendor Advisory, Mitigation
First Time		Langfuse Langfuse langfuse
CPE		cpe:2.3:a:langfuse:langfuse::::::::

21 Nov 2025, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-11-21 22:16

Updated : 2025-12-03 15:24

NVD link : CVE-2025-65107

Mitre link : CVE-2025-65107

CVE.ORG link : CVE-2025-65107

JSON object : View

Products Affected

langfuse

langfuse

CWE

CWE-285

Improper Authorization

CWE-352

Cross-Site Request Forgery (CSRF)

6.5 /10