CVE-2025-64504
📋 TL;DR
This vulnerability in Langfuse allows authenticated users to enumerate names and email addresses of users in other organizations if they know the target organization's ID. It affects Langfuse versions 2.70.0 through 2.95.10 and 3.x through 3.124.0, including both self-hosted deployments and Langfuse Cloud.
💻 Affected Systems
- Langfuse
📦 What is this software?
Langfuse by Langfuse
Langfuse by Langfuse
⚠️ Risk & Real-World Impact
Worst Case
An authenticated malicious insider could enumerate all user names and email addresses across all organizations on the same Langfuse instance, potentially enabling targeted phishing or social engineering attacks.
Likely Case
Limited information disclosure where authenticated users with knowledge of other organization IDs can access member lists of those organizations, exposing names and email addresses but no sensitive customer data.
If Mitigated
For deployments with SSO configured and email/password sign-up disabled, only internal users authenticated via Enterprise SSO could exploit this to access lists of other internal users.
🎯 Exploit Status
Exploitation requires: 1) Valid Langfuse user account, 2) Knowledge of target orgId, 3) API request to membership tables with modified orgId parameter using valid authentication token.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.95.11 for v2, 3.124.1 for v3
Vendor Advisory: https://github.com/langfuse/langfuse/security/advisories
Restart Required: Yes
Instructions:
1. Identify your Langfuse version. 2. Upgrade to v2.95.11 if on v2.x. 3. Upgrade to v3.124.1 if on v3.x. 4. Restart Langfuse services. 5. Verify the fix is applied.
🔧 Temporary Workarounds
No workarounds available
allThe vendor states there are no known workarounds. Upgrading is required for full mitigation.
🧯 If You Can't Patch
- Implement strict access controls and monitor API requests to membership endpoints for unusual orgId parameters
- Consider disabling project membership APIs if not required for your use case
🔍 How to Verify
Check if Vulnerable:
Check Langfuse version: if version is between 2.70.0-2.95.10 or 3.0.0-3.124.0, system is vulnerable.Check Version:
Check Langfuse dashboard or deployment configuration for version informationVerify Fix Applied:
Verify Langfuse version is 2.95.11 or higher for v2, or 3.124.1 or higher for v3.📡 Detection & Monitoring
Log Indicators:
- Unusual API requests to membership endpoints with orgId parameters different from user's organization
- Multiple failed authorization attempts on membership APIs
Network Indicators:
- API calls to /api/*/membership endpoints with modified orgId parameters
SIEM Query:
source="langfuse" AND (uri_path="/api/*/membership" OR endpoint="membership") AND orgId != user_org🔗 References
- https://github.com/langfuse/langfuse/commit/67990ebfdcf0f0c32a6710efa7ddbda073812ab4
- https://github.com/langfuse/langfuse/commit/6c2529049a4c962928c435984c81a547a497e3e5
- https://github.com/langfuse/langfuse/releases/tag/v2.70.0
- https://github.com/langfuse/langfuse/releases/tag/v2.95.11
- https://github.com/langfuse/langfuse/releases/tag/v3.124.1
- https://github.com/langfuse/langfuse/security/advisories/GHSA-94hf-6gqq-pj69
