Plateforme
other
Composant
langfuse
Corrigé dans
2.95.1
3.17.1
CVE-2025-65107 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Langfuse, an open-source large language model engineering platform. This flaw allows an attacker to potentially take over user accounts by tricking authenticated users into unknowingly executing malicious requests. The vulnerability impacts versions 2.95.0 through 3.130.9, and has been resolved in versions 2.95.12 and 3.131.0.
The primary impact of CVE-2025-65107 is unauthorized account takeover. An attacker can craft a malicious URL that, when visited by an authenticated user, triggers actions on their behalf without their knowledge or consent. This could involve modifying user settings, accessing sensitive data, or performing other actions as if they were the legitimate user. The vulnerability is particularly concerning because it leverages the user's existing authentication session, making it difficult to detect. Successful exploitation requires the user to interact with the malicious URL, typically through phishing or other social engineering techniques. The blast radius is limited to the individual user accounts affected, but the potential for widespread compromise exists if the attacker can target a large number of users.
CVE-2025-65107 was publicly disclosed on 2025-11-21. No public proof-of-concept (PoC) code has been released at the time of writing. The EPSS score is pending evaluation, but given the potential for account takeover, it is likely to be assessed as medium or high probability. It is not currently listed on the CISA KEV catalog.
Organizations utilizing Langfuse for LLM engineering, particularly those relying on Single Sign-On (SSO) integrations, are at risk. Deployment patterns that do not explicitly configure AUTH<PROVIDER>CHECK settings are especially vulnerable. Shared hosting environments where multiple users share the same Langfuse instance should be prioritized for patching.
• linux / server: Examine Langfuse configuration files for the presence of AUTH<PROVIDER>CHECK. Use grep to search for this setting in /etc/langfuse/config.yml or similar configuration locations.
grep -r AUTH_GOOGLE_CHECK /etc/langfuse/config.yml
grep -r AUTH_GITHUB_CHECK /etc/langfuse/config.yml• generic web: Monitor access logs for unusual requests originating from unfamiliar IP addresses, especially those targeting SSO authentication endpoints. Look for patterns indicative of CSRF attempts. • wordpress / composer / npm: N/A - Langfuse is not a WordPress plugin or Node.js package.
disclosure
Statut de l'Exploit
EPSS
0.03% (percentile 9%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-65107 is to upgrade Langfuse to version 2.95.12 or 3.131.0, which contain the fix. If upgrading immediately is not feasible, a workaround involves setting the AUTH<PROVIDER>CHECK configuration option. This setting enforces stricter authentication checks and prevents the CSRF attack from succeeding. Review SSO provider configurations to ensure this setting is enabled. Implement robust user awareness training to educate users about the risks of phishing and malicious URLs. Consider implementing a Content Security Policy (CSP) to restrict the sources from which scripts can be executed, further mitigating the risk of CSRF attacks. After upgrading, confirm the fix by attempting to trigger a request via a crafted URL and verifying that it is blocked.
Mettez à jour Langfuse à la version 2.95.12 ou supérieure, ou à la version 3.131.0 ou supérieure. Alternativement, configurez explicitement l'option AUTH_<PROVIDER>_CHECK dans votre configuration de SSO.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-65107 is a CSRF vulnerability in Langfuse versions 2.95.0–>= 3.17.0, < 3.131.0, allowing potential account takeover via crafted URLs.
You are affected if you are running Langfuse versions 2.95.0–>= 3.17.0, < 3.131.0 and have not configured AUTH<PROVIDER>CHECK.
Upgrade to Langfuse version 2.95.12 or 3.131.0. As a workaround, configure AUTH<PROVIDER>CHECK in your SSO provider configurations.
There is no confirmed active exploitation of CVE-2025-65107 at this time, but the potential for exploitation exists.
Refer to the Langfuse security advisory for details: [https://github.com/langfuse/langfuse/security/advisories/GHSA-xxxx-xxxx-xxxx](replace with actual advisory link)
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.