LLM security agent finds vulnerability in LLM engineering platform (www.depthfirst.com)

DepthFirst discovered and privately disclosed CVE-2025-59305: a missing authorization check in Langfuse’s internal background-migrations API that let any authenticated user (including self-serve signups) restart or enumerate migration jobs. That small oversight could enable data corruption via race conditions or platform-wide denial-of-service by flooding resource-intensive migration tasks. Langfuse patched the issue the same day it was reported (Sept 9, 2025) and publicly disclosed the CVE on Sept 15, 2025. Technically, the flaw lived in background-migrations-router.ts where endpoints (retry, list, status) used tRPC’s protectedProcedure — which enforces authentication (AuthN) but not role-based authorization (AuthZ). An attacker can register, call backgroundMigrations.all to discover jobs, then call backgroundMigrations.retry to restart critical migrations. DepthFirst argues traditional SAST tools miss these contextual business-logic authorization faults, and LLM code assistants amplify the risk by reproducing common AuthN patterns without domain-aware AuthZ checks. Langfuse fixed it by introducing an adminProcedure enforcing role checks. The case is a reminder to engineering and security teams to treat AuthN ≠ AuthZ, add role-aware protections to internal admin APIs, and use contextual analysis tools to catch business-logic vulnerabilities.