Remote Code Execution on Langfuse with a single OTel trace request (aisafe.io)

AISafe Labs has identified a severe security vulnerability in Langfuse v3.167.4, an open-source platform for AI application engineering. The issue involves authenticated OpenTelemetry (OTel) trace requests that can exploit prototype pollution, leading to two critical risks: remote code execution (RCE) and unauthorized exposure of private traces across projects. Attackers can craft malicious OTel attributes that manipulate JavaScript's prototype chain, allowing them to write uncontested properties onto the Object.prototype, which can then be executed as code or cause the exposure of sensitive data in multi-tenant environments. The implications of this vulnerability are significant for the AI/ML community, particularly those using Langfuse for observability and monitoring in their applications. The attack requires no special integrations and can be executed through legitimate project API keys, making it accessible even to those with authorized access. The Langfuse team has responded with an immediate fix that includes blocking sensitive attribute names, implementing strict property checks, and enhancing prototype security to prevent such attacks in the future, underscoring the necessity for robust security practices in AI application development.