CVE-2025-65107

MEDIUM

Langfuse < 2.95.12 - Improper Authorization

Title source: rule

Description

Langfuse is an open source large language model engineering platform. In versions from 2.95.0 to before 2.95.12 and from 3.17.0 to before 3.131.0, in SSO provider configurations without an explicit AUTH_<PROVIDER>_CHECK setting, a potential account takeover may happen if an authenticated user is made to call a specifically crafted URL via a CSRF or phishing attack. This issue has been patched in versions 2.95.12 and 3.131.0. A workaround for this issue involves setting AUTH_<PROVIDER>_CHECK.

References (1)

[Mitigation, Vendor Advisory] https://github.com/langfuse/langfuse/security/advisories/GHSA-w9pw-c549-5m6w

Scores

CVSS v3 6.5

EPSS 0.0002

EPSS Percentile 5.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Classification

CWE

CWE-285 CWE-352

Status published

Affected Products (1)

langfuse/langfuse < 2.95.12

Timeline

Published Nov 21, 2025

Tracked Since Feb 18, 2026