216.73.216.174

CVE-2025-65107

· Published 21/11/2025 22:16 · Modified 03/12/2025 15:24

Labels: CVE-2025-65107 2025-11-21CVE-2025-65107CWE-285[email protected]

Essential information

Published
21/11/2025 22:16
Modified
03/12/2025 15:24
Author
Creator
CVSS
6.5 MEDIUM (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CVSS metrics

Description

Langfuse is an open source large language model engineering platform. In versions from 2.95.0 to before 2.95.12 and from 3.17.0 to before 3.131.0, in SSO provider configurations without an explicit AUTH_<PROVIDER>_CHECK setting, a potential account takeover may happen if an authenticated user is made to call a specifically crafted URL via a CSRF or phishing attack. This issue has been patched in versions 2.95.12 and 3.131.0. A workaround for this issue involves setting AUTH_<PROVIDER>_CHECK.

NVD status

Status
Analyzed — CVE has had analysis completed and all data associations made.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
langfuse / langfuse cpe:2.3:a:langfuse:langfuse:*:*:*:*:*:*:*:*
langfuse / langfuse cpe:2.3:a:langfuse:langfuse:*:*:*:*:*:*:*:*

References