{"data":{"id":"6a39144a-23b2-4bfa-8f92-d923aaae6636","title":"CVE-2025-64504: Langfuse is an open source large language model engineering platform. Starting in version 2.70.0 and prior to versions 2","summary":"Langfuse, an open source platform for managing large language models, had a vulnerability in versions 2.70.0 through 2.95.10 and 3.x through 3.124.0 where the server didn't properly check which organization a user belonged to, allowing any authenticated user to see names and email addresses of members in other organizations if they knew the target organization's ID. The vulnerability required the attacker to have a valid account on the same Langfuse instance and knowledge of the target organization's ID, and no customer data like traces, prompts, or evaluations were exposed.","solution":"Upgrade to patched versions: v2.95.11 for major version 2 or v3.124.1 for major version 3. According to the source, 'there are no known workarounds' and 'upgrading is required to fully mitigate this issue.'","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2025-64504","publishedAt":"2025-11-10T22:15:39.273Z","cveId":"CVE-2025-64504","cweIds":["CWE-202"],"cvssScore":"5","cvssSeverity":"medium","severity":"medium","attackType":["data_extraction"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["LangChain"],"affectedVendorsRaw":["Langfuse"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.00083,"patchAvailable":null,"disclosureDate":null,"capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality"],"aiComponentTargeted":"api","llmSpecific":true,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}