{"id":"CVE-2025-9799","details":"A security flaw has been discovered in Langfuse up to 3.88.0. Affected by this vulnerability is the function promptChangeEventSourcing of the file web/src/features/prompts/server/routers/promptRouter.ts of the component Webhook Handler. Performing manipulation results in server-side request forgery. The attack may be initiated remotely. A high degree of complexity is needed for the attack. The exploitation appears to be difficult. The exploit has been released to the public and may be exploited.","modified":"2026-04-10T05:36:47.206372Z","published":"2025-09-01T22:15:31.283Z","references":[{"type":"ADVISORY","url":"https://vuldb.com/?id.322114"},{"type":"ADVISORY","url":"https://vuldb.com/?submit.641128"},{"type":"REPORT","url":"https://github.com/langfuse/langfuse/issues/8522#issue-3320549867"},{"type":"REPORT","url":"https://vuldb.com/?ctiid.322114"},{"type":"REPORT","url":"https://github.com/langfuse/langfuse/issues/8522"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/langfuse/langfuse","events":[{"introduced":"0"},{"last_affected":"e07120b16361c6a3417addb12a0440a8dd204c64"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"3.88.0"}]}}],"versions":["1.0.0","1.0.0-rc.2","v1.0.1","v1.1.0","v1.10.0","v1.11.0","v1.11.1","v1.12.0","v1.13.0","v1.13.2","v1.13.3","v1.14.0","v1.15.0","v1.15.1","v1.16.0","v1.17.0","v1.17.1","v1.17.2","v1.17.3","v1.18.0","v1.18.1","v1.19.0","v1.19.1","v1.19.2","v1.19.3","v1.19.4","v1.2.0","v1.20.0","v1.21.0","v1.22.0","v1.23.0","v1.24.0","v1.24.1","v1.24.2","v1.25.0","v1.26.0","v1.27.0","v1.27.1","v1.27.2","v1.27.3","v1.28.0","v1.28.1","v1.29.0","v1.3.0","v1.30.0","v1.30.1","v1.31.0","v1.31.1","v1.31.2","v1.31.3","v1.31.4","v1.32.0","v1.32.1","v1.32.2","v1.32.3","v1.33.0","v1.33.1","v1.33.10","v1.33.2","v1.33.3","v1.33.5","v1.33.6","v1.33.7","v1.33.8","v1.33.9","v1.34.0","v1.34.1","v1.4.0","v1.4.1","v1.5.0","v1.5.1","v1.6.0","v1.7.0","v1.7.1","v1.7.2","v1.8.0","v1.8.1","v1.8.2","v1.9.0","v1.9.1","v1.9.2","v2.0.0","v2.0.1","v2.1.0","v2.1.1","v2.1.2","v2.10.0","v2.10.1","v2.10.10","v2.10.2","v2.10.3","v2.10.4","v2.10.5","v2.10.6","v2.10.7","v2.10.8","v2.10.9","v2.11.0","v2.11.1","v2.11.2","v2.11.3","v2.12.0","v2.12.1","v2.13.0","v2.13.1","v2.14.0","v2.14.1","v2.14.2","v2.14.3","v2.14.4","v2.14.5","v2.14.6","v2.15.0","v2.15.1","v2.15.2","v2.15.3","v2.15.4","v2.15.5","v2.16.0","v2.16.1","v2.16.2","v2.17.0","v2.18.0","v2.18.1","v2.19.0","v2.19.1","v2.2.0","v2.20.0","v2.21.0","v2.21.1","v2.21.2","v2.22.0","v2.23.0","v2.24.0","v2.24.1","v2.25.0","v2.25.1","v2.26.0","v2.26.1","v2.27.0","v2.28.0","v2.29.0","v2.29.1","v2.29.2","v2.3.0","v2.30.0","v2.30.1","v2.30.2","v2.31.0","v2.32.0","v2.33.0","v2.34.0","v2.35.0","v2.36.0","v2.36.1","v2.37.0","v2.37.1","v2.37.2","v2.37.3","v2.38.0","v2.38.1","v2.38.2","v2.39.0","v2.4.0","v2.4.1","v2.4.2","v2.4.3","v2.40.0","v2.41.0","v2.41.1","v2.42.0","v2.43.0","v2.43.1","v2.43.2","v2.44.0","v2.45.0","v2.45.1","v2.46.0","v2.47.0","v2.47.1","v2.47.2","v2.47.3","v2.47.4","v2.47.5","v2.47.6","v2.47.7","v2.48.0","v2.48.1","v2.49.0","v2.49.1","v2.49.2","v2.5.0","v2.5.1","v2.50.0","v2.51.0","v2.52.0","v2.52.1","v2.53.0","v2.54.0","v2.55.0","v2.55.1","v2.56.0","v2.56.1","v2.57.0","v2.58.0","v2.59.0","v2.59.1","v2.6.0","v2.60.0","v2.60.1","v2.60.2","v2.60.3","v2.60.4","v2.61.0","v2.61.1","v2.62.0","v2.63.0","v2.63.1","v2.64.0","v2.65.0","v2.65.1","v2.66.0","v2.67.0","v2.68.0","v2.69.0","v2.7.0","v2.7.1","v2.7.2","v2.70.0","v2.70.1","v2.71.0","v2.72.0","v2.73.0","v2.74.0","v2.75.0","v2.75.1","v2.75.2","v2.76.0","v2.77.0","v2.78.0","v2.79.0","v2.8.0","v2.80.0","v2.81.0","v2.81.1","v2.81.2","v2.82.0","v2.83.0","v2.83.1","v2.84.0","v2.84.1","v2.85.0","v2.85.1","v2.86.0","v2.87.0","v2.88.0","v2.89.0","v2.9.0","v2.9.1","v2.90.0","v2.90.1","v2.91.0","v2.92.0","v2.93.0","v3.0.0","v3.0.0-rc.1","v3.0.0-rc.2","v3.0.0-rc.3","v3.0.0-rc.4","v3.0.0-rc.5","v3.0.0-rc.6","v3.1.0","v3.1.1","v3.10.0","v3.11.0","v3.11.1","v3.12.0","v3.13.0","v3.14.0","v3.15.0","v3.16.0","v3.17.0","v3.17.1","v3.18.0","v3.19.0","v3.2.0","v3.20.0","v3.21.0","v3.22.0","v3.23.0","v3.24.0","v3.24.1","v3.25.0","v3.26.0","v3.27.0","v3.27.1","v3.27.2","v3.28.0","v3.28.1","v3.28.3","v3.29.0","v3.29.1","v3.3.0","v3.30.0","v3.31.0","v3.32.0","v3.32.1","v3.33.0","v3.33.1","v3.34.0","v3.34.1","v3.35.0","v3.35.1","v3.36.0","v3.37.0","v3.38.0","v3.39.0","v3.4.0","v3.40.0","v3.41.0","v3.41.1","v3.42.0","v3.42.1","v3.43.0","v3.44.0","v3.45.0","v3.45.1","v3.45.2","v3.46.0","v3.47.0","v3.48.0","v3.48.1","v3.49.0","v3.49.1","v3.5.0","v3.5.1","v3.5.2","v3.5.3","v3.50.0","v3.51.0","v3.51.1","v3.51.2","v3.52.0","v3.53.0","v3.54.0","v3.54.1","v3.55.0","v3.56.0","v3.57.0","v3.57.1","v3.57.2","v3.58.0","v3.59.0","v3.59.1","v3.6.0","v3.6.1","v3.6.2","v3.60.0","v3.60.1","v3.61.0","v3.62.0","v3.62.1","v3.63.0","v3.63.1","v3.64.0","v3.65.0","v3.65.1","v3.65.2","v3.65.3","v3.66.0","v3.66.1","v3.67.0","v3.68.0","v3.69.0","v3.7.0","v3.7.1","v3.70.0","v3.71.0","v3.72.0","v3.72.1","v3.73.0","v3.73.1","v3.74.0","v3.75.0","v3.75.1","v3.75.2","v3.75.3","v3.75.4","v3.76.0","v3.77.0","v3.78.0","v3.78.1","v3.78.2","v3.79.0","v3.79.1","v3.8.0","v3.80.0","v3.80.1","v3.81.0","v3.81.1","v3.82.0","v3.83.0","v3.84.0","v3.85.0","v3.85.1","v3.85.2","v3.86.0","v3.86.1","v3.87.0","v3.87.1","v3.88.0","v3.9.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-9799.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"}]}