5

CVE-2025-9799

Exploit

Langfuse Webhook promptRouter.ts promptChangeEventSourcing server-side request forgery

A security flaw has been discovered in Langfuse up to 3.88.0. Affected by this vulnerability is the function promptChangeEventSourcing of the file web/src/features/prompts/server/routers/promptRouter.ts of the component Webhook Handler. Performing manipulation results in server-side request forgery. The attack may be initiated remotely. A high degree of complexity is needed for the attack. The exploitation appears to be difficult. The exploit has been released to the public and may be exploited.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LangfuseLangfuse Version <= 3.88.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.26% 0.168
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
cna@vuldb.com 1.3 0 0
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
cna@vuldb.com 5 1.6 3.4
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
cna@vuldb.com 4.6 3.9 6.4
AV:N/AC:H/Au:S/C:P/I:P/A:P
CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://vuldb.com/?id.322114
Third Party Advisory
VDB Entry
https://vuldb.com/?ctiid.322114
VDB Entry
Permissions Required
https://vuldb.com/?submit.641128
Third Party Advisory
VDB Entry
https://github.com/langfuse/langfuse/issues/8522
Exploit
Issue Tracking
https://github.com/langfuse/langfuse/issues/8522#issue-3320549867
Exploit
Issue Tracking