CVE-2025-9799 LOW

CVE-2025-9799: Langfuse Webhook promptRouter.ts promptChangeEventSourcing server-side request forgery

Vendor N/A
Product Langfuse
Weakness CWE-918 · SSRF
Published September 1, 2025
Last update September 2, 2025
View on NVD All CVEs

CVSS base score

2.3/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A security flaw has been discovered in Langfuse up to 3.88.0. Affected by this vulnerability is the function promptChangeEventSourcing of the file web/src/features/prompts/server/routers/promptRouter.ts of the component Webhook Handler. Performing manipulation results in server-side request forgery. The attack may be initiated remotely. A high degree of complexity is needed for the attack. The exploitation appears to be difficult. The exploit has been released to the public and may be exploited.

Key dates

02Disclosure timeline

September 1, 2025 CVE published
September 2, 2025 Record updated