CVE-2025-59305

{"id": "CVE-2025-59305", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.7, "exploitabilityScore": 2.8}]}, "published": "2025-09-24T18:15:42.107", "references": [{"url": "https://depthfirst.com/post/how-an-authorization-flaw-reveals-a-common-security-blind-spot-cve-2025-59305-case-study", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-285"}]}], "descriptions": [{"lang": "en", "value": "Improper authorization in the background migration endpoints of Langfuse 3.1 before d67b317 allows any authenticated user to invoke migration control functions. This can lead to data corruption or denial of service through unauthorized access to TRPC endpoints such as backgroundMigrations.all, backgroundMigrations.status, and backgroundMigrations.retry."}, {"lang": "es", "value": "Autorizaci\u00f3n indebida en los puntos finales de migraci\u00f3n en segundo plano de Langfuse 3.1 anterior a d67b317 permite a cualquier usuario autenticado invocar funciones de control de migraci\u00f3n. Esto puede llevar a la corrupci\u00f3n de datos o denegaci\u00f3n de servicio a trav\u00e9s de acceso no autorizado a puntos finales de TRPC como backgroundMigrations.all, backgroundMigrations.status y backgroundMigrations.retry."}], "lastModified": "2025-12-02T18:09:52.547", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:langfuse:langfuse:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EC78C45E-A421-4EB9-B9E1-7DD4D6ABEB63", "versionEndExcluding": "3.109.0", "versionStartIncluding": "3.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}