A security flaw has been discovered in Langfuse up to 3.88.0. Affected by this vulnerability is the function promptChangeEventSourcing of the file web/src/features/prompts/server/routers/promptRouter.ts of the component Webhook Handler. Performing manipulation results in server-side request forgery. The attack may be initiated remotely. A high degree of complexity is needed for the attack. The exploitation appears to be difficult. The exploit has been released to the public and may be exploited.
References
| Link | Resource |
|---|---|
| https://github.com/langfuse/langfuse/issues/8522 | Exploit Issue Tracking |
| https://github.com/langfuse/langfuse/issues/8522#issue-3320549867 | Exploit Issue Tracking |
| https://vuldb.com/?ctiid.322114 | Permissions Required VDB Entry |
| https://vuldb.com/?id.322114 | Third Party Advisory VDB Entry |
| https://vuldb.com/?submit.641128 | Third Party Advisory VDB Entry |
Configurations
History
02 Dec 2025, 19:04
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/langfuse/langfuse/issues/8522 - Exploit, Issue Tracking | |
| References | () https://github.com/langfuse/langfuse/issues/8522#issue-3320549867 - Exploit, Issue Tracking | |
| References | () https://vuldb.com/?ctiid.322114 - Permissions Required, VDB Entry | |
| References | () https://vuldb.com/?id.322114 - Third Party Advisory, VDB Entry | |
| References | () https://vuldb.com/?submit.641128 - Third Party Advisory, VDB Entry | |
| First Time |
Langfuse
Langfuse langfuse |
|
| CPE | cpe:2.3:a:langfuse:langfuse:*:*:*:*:*:*:*:* |
01 Sep 2025, 22:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-09-01 22:15
Updated : 2025-12-02 19:04
NVD link : CVE-2025-9799
Mitre link : CVE-2025-9799
CVE.ORG link : CVE-2025-9799
JSON object : View
Products Affected
langfuse
- langfuse
CWE
CWE-918
Server-Side Request Forgery (SSRF)