CVE-2025-65107 MEDIUM

CVE-2025-65107: Langfuse SSO Account Takeover via CSRF or phishing attack

Vendor Langfuse
Product langfuse
Weakness CWE-352 · CSRF
Published November 21, 2025
Last update November 24, 2025

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Langfuse is an open source large language model engineering platform. In versions from 2.95.0 to before 2.95.12 and from 3.17.0 to before 3.131.0, in SSO provider configurations without an explicit AUTH_<PROVIDER>_CHECK setting, a potential account takeover may happen if an authenticated user is made to call a specifically crafted URL via a CSRF or phishing attack. This issue has been patched in versions 2.95.12 and 3.131.0. A workaround for this issue involves setting AUTH_<PROVIDER>_CHECK.

Key dates

02Disclosure timeline

November 21, 2025 CVE published
November 24, 2025 Record updated