Workflow

PyPi: Langfuse

CVE-2024-55565

Transitive

Safety vulnerability ID: 74955

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Dec 09, 2024 Updated at Mar 24, 2025
Scan your Python projects for vulnerabilities →

Advisory

Langfuse has updated the nanoid dependency to version 3.3.8 across multiple package.json files to address a security vulnerability identified as CVE-2024-55565.

Affected package

langfuse

Latest version: 2.60.2

A client library for accessing langfuse

Affected versions

Fixed versions

Vulnerability changelog

What's Changed

Features

* feat: add CLICKHOUSE_DB env support by peske in https://github.com/langfuse/langfuse/pull/4911. See [docs](https://langfuse.com/self-hosting/infrastructure/clickhouse#configuration) for all details.

Fixes

* fix(models): allow string tokenizer config by hassiebp in https://github.com/langfuse/langfuse/pull/4898
* fix: do not error on 403 by model provider for eval executions by maxdeichmann in https://github.com/langfuse/langfuse/pull/4905

Security

* security: upgrade nanoid by maxdeichmann in https://github.com/langfuse/langfuse/pull/4909
* security: prevent prototype pollution in dataset compare view by maxdeichmann in https://github.com/langfuse/langfuse/pull/4910

Chores

* chore: move sessions, traces, comments router logs to logger by Steffen911 in https://github.com/langfuse/langfuse/pull/4902
* chore(media): increase rate-limit to use ingestion budget by hassiebp in https://github.com/langfuse/langfuse/pull/4907

**Full Changelog**: https://github.com/langfuse/langfuse/compare/v3.5.3...v3.6.0

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application