CVE-2025-23207

Advisory

Langfuse upgrades katex to ^0.16.21 in package.json and web/package.json for due to the CVE-2025-23207.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

What's Changed

Features

* feat(dataset-runs): add product analytics events by marliessophie in https://github.com/langfuse/langfuse/pull/5145
* feat(ee): add audit log view to project settings by marcklingen in https://github.com/langfuse/langfuse/pull/5150

Fixes

* fix: observation table type alignment by maxdeichmann in https://github.com/langfuse/langfuse/pull/5146
* fix: correctly upgrade katex by maxdeichmann in https://github.com/langfuse/langfuse/pull/5151
* fix: use unix timestamp for batch export file name to avoid invalid characters by Haoping-Xiao in https://github.com/langfuse/langfuse/pull/5092

Chores

* chore: reduce default write interval for CH queue to 1000 by Steffen911 in https://github.com/langfuse/langfuse/pull/5144
* chore: skip re-builds for same tree hash by Steffen911 in https://github.com/langfuse/langfuse/pull/5135
* chore: remove legacy/batched ingestion pipeline code by Steffen911 in https://github.com/langfuse/langfuse/pull/5121
* security: upgrade katex by maxdeichmann in https://github.com/langfuse/langfuse/pull/5149
* chore: allow skipping ingestion CH reads for projects created after cutoff date by Steffen911 in https://github.com/langfuse/langfuse/pull/5116
* chore(models-ui): move models into settings by marliessophie in https://github.com/langfuse/langfuse/pull/5124

New Contributors
* Haoping-Xiao made their first contribution in https://github.com/langfuse/langfuse/pull/5092

**Full Changelog**: https://github.com/langfuse/langfuse/compare/v3.12.0...v3.13.0

Resources

• https://github.com/langfuse/langfuse/pull/5149
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-23207