CVE-2025-65107

Name of the Vulnerable Software and Affected Versions Langfuse versions 2.95.0 through 2.95.11 Langfuse versions 3.17.0 through 3.130.0

Description Langfuse is a large language model engineering platform. In Single Sign-On (SSO) provider configurations lacking an explicit AUTH CHECK setting, a potential account takeover could occur if an authenticated user accesses a specially crafted URL through a Cross-Site Request Forgery (CSRF) or phishing attack. The issue involves manipulating a user into calling a specific URL.

Recommendations Update to Langfuse version 2.95.12 or later. Update to Langfuse version 3.131.0 or later. As a workaround, configure the AUTH CHECK setting.