QwikSec

Security Database

CVE

CWE

Training

CVE-2025-9799

Published: Sep 1, 2025

Modified: Sep 2, 2025

PUBLISHED

CVSS v3.1

5.0

MEDIUM

Description

A security flaw has been discovered in Langfuse up to 3.88.0. Affected by this vulnerability is the function promptChangeEventSourcing of the file web/src/features/prompts/server/routers/promptRouter.ts of the component Webhook Handler. Performing manipulation results in server-side request forgery. The attack may be initiated remotely. A high degree of complexity is needed for the attack. The exploitation appears to be difficult. The exploit has been released to the public and may be exploited.

Vendor	Product	Versions
n/a	Langfuse	affected `3.0` affected `3.1` affected `3.2` affected `3.3` affected `3.4` +84 more versions

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

References

VDB-322114 | Langfuse Webhook promptRouter.ts promptChangeEventSourcing server-side request forgery

vdb-entry

technical-description

VDB-322114 | CTI Indicators (IOB, IOC, IOA)

signature

permissions-required

Submit #641128 | langfuse https://github.com/langfuse/langfuse <=3.88.0 SSRF

third-party-advisory

https://github.com/langfuse/langfuse/issues/8522

issue-tracking

https://github.com/langfuse/langfuse/issues/8522#issue-3320549867

exploit

issue-tracking

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.