CVE-2025-65107
📋 TL;DR
This vulnerability in Langfuse's SSO provider configurations allows account takeover when authenticated users are tricked into visiting a specially crafted URL via CSRF or phishing attacks. It affects Langfuse versions 2.95.0-2.95.11 and 3.17.0-3.130.0. The issue occurs when AUTH_<PROVIDER>_CHECK is not explicitly set in SSO configurations.
💻 Affected Systems
- Langfuse
📦 What is this software?
Langfuse by Langfuse
Langfuse by Langfuse
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover leading to unauthorized access to LLM engineering data, potential data exfiltration, and privilege escalation within the Langfuse platform.
Likely Case
Attackers gaining access to user accounts through phishing campaigns, potentially compromising sensitive LLM training data and operational configurations.
If Mitigated
Limited impact with proper SSO configuration validation and user awareness training about phishing risks.
🎯 Exploit Status
Requires authenticated user interaction via CSRF/phishing but exploitation is straightforward once user visits crafted URL.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.95.12 and 3.131.0
Vendor Advisory: https://github.com/langfuse/langfuse/security/advisories/GHSA-w9pw-c549-5m6w
Restart Required: Yes
Instructions:
1. Update Langfuse to version 2.95.12 or 3.131.0. 2. Restart the Langfuse service. 3. Verify the update was successful.
🔧 Temporary Workarounds
Set AUTH_<PROVIDER>_CHECK configuration
allExplicitly set AUTH_<PROVIDER>_CHECK in all SSO provider configurations to prevent the vulnerability.
Edit Langfuse configuration files to include AUTH_<PROVIDER>_CHECK setting for each SSO provider
🧯 If You Can't Patch
- Implement strict SSO configuration validation requiring AUTH_<PROVIDER>_CHECK for all providers
- Deploy anti-CSRF tokens and implement additional authentication verification steps
🔍 How to Verify
Check if Vulnerable:
Check Langfuse version and verify if running affected versions (2.95.0-2.95.11 or 3.17.0-3.130.0) with SSO configured without AUTH_<PROVIDER>_CHECK.Check Version:
Check Langfuse web interface admin panel or deployment configuration for version information.Verify Fix Applied:
Confirm Langfuse version is 2.95.12 or 3.131.0+ and verify AUTH_<PROVIDER>_CHECK is set in SSO configurations.📡 Detection & Monitoring
Log Indicators:
- Unusual SSO authentication patterns
- Multiple failed SSO attempts followed by successful login from different IP
- SSO configuration changes without AUTH_<PROVIDER>_CHECK
Network Indicators:
- Suspicious redirects to crafted URLs
- Unusual outbound connections after SSO authentication
SIEM Query:
source="langfuse" AND (event_type="sso_auth" OR event_type="config_change") AND NOT config_key="AUTH_*_CHECK"