Unrated severityNVD Advisory· Published Nov 21, 2025· Updated Nov 24, 2025

Langfuse SSO Account Takeover via CSRF or phishing attack

CVE-2025-65107

Description

Langfuse is an open source large language model engineering platform. In versions from 2.95.0 to before 2.95.12 and from 3.17.0 to before 3.131.0, in SSO provider configurations without an explicit AUTH_<PROVIDER>_CHECK setting, a potential account takeover may happen if an authenticated user is made to call a specifically crafted URL via a CSRF or phishing attack. This issue has been patched in versions 2.95.12 and 3.131.0. A workaround for this issue involves setting AUTH_<PROVIDER>_CHECK.

Affected products

Langfuse/Langfusev5
Range: >= 2.95.0, < 2.95.12

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/langfuse/langfuse/security/advisories/GHSA-w9pw-c549-5m6wmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000