CVE-2025-9799

Name of the Vulnerable Software and Affected Versions Langfuse versions through 3.88.0

Description A security flaw exists in Langfuse, potentially leading to server-side request forgery. The vulnerability is located in the promptChangeEventSourcing function within the web/src/features/prompts/server/routers/promptRouter.ts file of the Webhook Handler component. The attack can be initiated remotely and requires a high degree of complexity, though exploitation appears to be difficult. The exploit has been released publicly.

Recommendations Versions prior to 3.88.0 are recommended.