CVE-2025-9799

Summary

A security flaw has been discovered in Langfuse up to 3.88.0. Affected by this vulnerability is the function promptChangeEventSourcing of the file web/src/features/prompts/server/routers/promptRouter.ts of the component Webhook Handler. Performing manipulation results in server-side request forgery. The attack may be initiated remotely. A high degree of complexity is needed for the attack. The exploitation appears to be difficult. The exploit has been released to the public and may be exploited.

Affected Software

VendorProductVersion RangeStatus
n/aLangfuse3.0affected
n/aLangfuse3.1affected
n/aLangfuse3.2affected
n/aLangfuse3.3affected
n/aLangfuse3.4affected
n/aLangfuse3.5affected
n/aLangfuse3.6affected
n/aLangfuse3.7affected
n/aLangfuse3.8affected
n/aLangfuse3.9affected
n/aLangfuse3.10affected
n/aLangfuse3.11affected
n/aLangfuse3.12affected
n/aLangfuse3.13affected
n/aLangfuse3.14affected
n/aLangfuse3.15affected
n/aLangfuse3.16affected
n/aLangfuse3.17affected
n/aLangfuse3.18affected
n/aLangfuse3.19affected
n/aLangfuse3.20affected
n/aLangfuse3.21affected
n/aLangfuse3.22affected
n/aLangfuse3.23affected
n/aLangfuse3.24affected
n/aLangfuse3.25affected
n/aLangfuse3.26affected
n/aLangfuse3.27affected
n/aLangfuse3.28affected
n/aLangfuse3.29affected
n/aLangfuse3.30affected
n/aLangfuse3.31affected
n/aLangfuse3.32affected
n/aLangfuse3.33affected
n/aLangfuse3.34affected
n/aLangfuse3.35affected
n/aLangfuse3.36affected
n/aLangfuse3.37affected
n/aLangfuse3.38affected
n/aLangfuse3.39affected
n/aLangfuse3.40affected
n/aLangfuse3.41affected
n/aLangfuse3.42affected
n/aLangfuse3.43affected
n/aLangfuse3.44affected
n/aLangfuse3.45affected
n/aLangfuse3.46affected
n/aLangfuse3.47affected
n/aLangfuse3.48affected
n/aLangfuse3.49affected
n/aLangfuse3.50affected
n/aLangfuse3.51affected
n/aLangfuse3.52affected
n/aLangfuse3.53affected
n/aLangfuse3.54affected
n/aLangfuse3.55affected
n/aLangfuse3.56affected
n/aLangfuse3.57affected
n/aLangfuse3.58affected
n/aLangfuse3.59affected
n/aLangfuse3.60affected
n/aLangfuse3.61affected
n/aLangfuse3.62affected
n/aLangfuse3.63affected
n/aLangfuse3.64affected
n/aLangfuse3.65affected
n/aLangfuse3.66affected
n/aLangfuse3.67affected
n/aLangfuse3.68affected
n/aLangfuse3.69affected
n/aLangfuse3.70affected
n/aLangfuse3.71affected
n/aLangfuse3.72affected
n/aLangfuse3.73affected
n/aLangfuse3.74affected
n/aLangfuse3.75affected
n/aLangfuse3.76affected
n/aLangfuse3.77affected
n/aLangfuse3.78affected
n/aLangfuse3.79affected
n/aLangfuse3.80affected
n/aLangfuse3.81affected
n/aLangfuse3.82affected
n/aLangfuse3.83affected
n/aLangfuse3.84affected
n/aLangfuse3.85affected
n/aLangfuse3.86affected
n/aLangfuse3.87affected
n/aLangfuse3.88.0affected

Weaknesses

  • CWE-918: Server-Side Request Forgery

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References