Authorization Flaw in Langfuse Affects User Data Exposure
CVE-2025-64504

5MEDIUM

Key Information:

Vendor

Langfuse

Status
Langfuse
Vendor
CVE Published:
10 November 2025

What is CVE-2025-64504?

Langfuse, an open-source platform for managing large language models, contains a significant vulnerability in its project membership APIs. Authenticated users can exploit this flaw to access the names and email addresses of users from other organizations within the same Langfuse instance by manipulating the organization ID in API requests. Although customer data remains safeguarded, the flaw poses risks of unwanted user data exposure. Affected versions require an upgrade to recent patches (v2.95.11 and v3.124.1) to mitigate this risk effectively. The Langfuse Cloud environment has been reviewed with no confirmed incidents of exploitation, particularly where enterprise Single Sign-On (SSO) setups limit the attack vector.

Affected Version(s)

langfuse >= 2.70.0, < 2.95.11 < 2.70.0, 2.95.11

langfuse >= 3.0.0, < 3.124.1 < 3.0.0, 3.124.1

References

https://github.com/langfuse/langfuse/security/advisories/...
x_refsource_CONFIRM
https://github.com/langfuse/langfuse/commit/67990ebfdcf0f...
x_refsource_MISC
https://github.com/langfuse/langfuse/commit/6c2529049a4c9...
x_refsource_MISC

CVSS V3.1

Score:
5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-64504 : Authorization Flaw in Langfuse Affects User Data Exposure