CVE-2025-9799 is a Server-Side Request Forgery (SSRF) vulnerability identified in Langfuse versions up to 3.88.0, specifically within the function promptChangeEventSourcing located in the file web/src/features/prompts/server/routers/promptRouter.ts, part of the Webhook Handler component. SSRF vulnerabilities allow an attacker to induce the server-side application to make HTTP requests to arbitrary domains or internal systems that the attacker would not normally have access to. In this case, the vulnerability arises from insufficient validation or sanitization of user-controlled input that is processed by the promptChangeEventSourcing function, enabling manipulation of server requests. The attack can be initiated remotely, but it requires a high degree of complexity and is considered difficult to exploit. The CVSS 4.0 score is 2.3, indicating low severity, reflecting limited impact and high attack complexity. The vulnerability does not require user interaction and has low impact on confidentiality, integrity, and availability, with no privileges required beyond low privileges. Although the exploit code has been publicly released, there are no known widespread exploits in the wild at this time. The vulnerability affects a broad range of Langfuse versions from 3.0 through 3.88.0, indicating that many deployments could be vulnerable if not patched or mitigated. The lack of available patches at the time of publication suggests that organizations must implement compensating controls to reduce risk until an official fix is released.

For European organizations using Langfuse, this SSRF vulnerability could allow attackers to leverage the affected server to send unauthorized requests to internal or external systems. Potential impacts include unauthorized access to internal services, data leakage, or use of the server as a proxy to bypass network restrictions. However, due to the high complexity and difficulty of exploitation, as well as the low CVSS score, the immediate risk is limited. Organizations with sensitive internal services accessible only from the Langfuse server could face increased risk if attackers successfully exploit this flaw. Additionally, if Langfuse is integrated into critical workflows or handles sensitive data, even limited SSRF exploitation could lead to information disclosure or indirect compromise. The public availability of exploit code increases the urgency for European organizations to assess and mitigate this vulnerability, especially those in sectors with stringent data protection requirements such as finance, healthcare, and government.

1. Immediate mitigation should include restricting outbound network access from Langfuse servers to only trusted destinations using firewall rules or network segmentation to limit the potential impact of SSRF exploitation. 2. Implement strict input validation and sanitization on all user-controlled inputs processed by the promptChangeEventSourcing function or related webhook handlers to prevent malicious payloads. 3. Monitor logs for unusual outbound requests originating from Langfuse servers that could indicate attempted exploitation. 4. Deploy Web Application Firewalls (WAFs) with custom rules to detect and block SSRF attack patterns targeting the vulnerable endpoints. 5. Coordinate with Langfuse vendors or maintainers to obtain and apply patches as soon as they become available. 6. Conduct security reviews and penetration testing focused on SSRF vectors within Langfuse integrations. 7. Educate development and security teams about SSRF risks and secure coding practices to prevent similar vulnerabilities in future releases.