CVE-2025-59305

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-59305

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59305.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-59305

Published

2025-09-24T18:15:42.107Z

Modified

2026-04-10T05:33:26.558719Z

Severity

7.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L CVSS Calculator

Summary

[none]

Details

Improper authorization in the background migration endpoints of Langfuse 3.1 before d67b317 allows any authenticated user to invoke migration control functions. This can lead to data corruption or denial of service through unauthorized access to TRPC endpoints such as backgroundMigrations.all, backgroundMigrations.status, and backgroundMigrations.retry.

References

https://depthfirst.com/post/how-an-authorization-flaw-reveals-a-common-security-blind-spot-cve-2025-59305-case-study

Affected packages

Git / github.com/langfuse/langfuse

Affected ranges

Type

GIT

Repo

https://github.com/langfuse/langfuse

Events

Introduced

a56246059cb0915e5282ed0631397a9a920044ad

Fixed

05b87199ec77aef18bc42e74653d83dd975e69c9

Database specific

{
    "versions": [
        {
            "introduced": "3.1.0"
        },
        {
            "fixed": "3.109.0"
        }
    ]
}

Affected versions

v3.*

v3.1.0

v3.1.1

v3.10.0

v3.100.0

v3.101.0

v3.102.0

v3.103.0

v3.104.0

v3.105.0

v3.106.0

v3.106.1

v3.106.2

v3.106.3

v3.106.4

v3.107.0

v3.108.0

v3.11.0

v3.11.1

v3.12.0

v3.13.0

v3.14.0

v3.15.0

v3.16.0

v3.17.0

v3.17.1

v3.18.0

v3.19.0

v3.2.0

v3.20.0

v3.21.0

v3.22.0

v3.23.0

v3.24.0

v3.24.1

v3.25.0

v3.26.0

v3.27.0

v3.27.1

v3.27.2

v3.28.0

v3.28.1

v3.28.3

v3.29.0

v3.29.1

v3.3.0

v3.30.0

v3.31.0

v3.32.0

v3.32.1

v3.33.0

v3.33.1

v3.34.0

v3.34.1

v3.35.0

v3.35.1

v3.36.0

v3.37.0

v3.38.0

v3.39.0

v3.4.0

v3.40.0

v3.41.0

v3.41.1

v3.42.0

v3.42.1

v3.43.0

v3.44.0

v3.45.0

v3.45.1

v3.45.2

v3.46.0

v3.47.0

v3.48.0

v3.48.1

v3.49.0

v3.49.1

v3.5.0

v3.5.1

v3.5.2

v3.5.3

v3.50.0

v3.51.0

v3.51.1

v3.51.2

v3.52.0

v3.53.0

v3.54.0

v3.54.1

v3.55.0

v3.56.0

v3.57.0

v3.57.1

v3.57.2

v3.58.0

v3.59.0

v3.59.1

v3.6.0

v3.6.1

v3.6.2

v3.60.0

v3.60.1

v3.61.0

v3.62.0

v3.62.1

v3.63.0

v3.63.1

v3.64.0

v3.65.0

v3.65.1

v3.65.2

v3.65.3

v3.66.0

v3.66.1

v3.67.0

v3.68.0

v3.69.0

v3.7.0

v3.7.1

v3.70.0

v3.71.0

v3.72.0

v3.72.1

v3.73.0

v3.73.1

v3.74.0

v3.75.0

v3.75.1

v3.75.2

v3.75.3

v3.75.4

v3.76.0

v3.77.0

v3.78.0

v3.78.1

v3.78.2

v3.79.0

v3.79.1

v3.8.0

v3.80.0

v3.80.1

v3.81.0

v3.81.1

v3.82.0

v3.83.0

v3.84.0

v3.85.0

v3.85.1

v3.85.2

v3.86.0

v3.86.1

v3.87.0

v3.87.1

v3.88.0

v3.88.1

v3.89.0

v3.9.0

v3.90.0

v3.91.0

v3.92.0

v3.92.1

v3.93.0

v3.94.0

v3.95.0

v3.95.1

v3.95.2

v3.96.0

v3.96.1

v3.96.2

v3.97.0

v3.97.1

v3.97.2

v3.97.3

v3.97.4

v3.97.5

v3.98.0

v3.98.1

v3.98.2

v3.99.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-59305.json"