FKIE_CVE-2026-25528

Vulnerability from fkie_nvd - Published: 2026-02-09 21:15 - Updated: 2026-02-09 21:55
Severity ?
5.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Summary
LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. The LangSmith SDK's distributed tracing feature is vulnerable to Server-Side Request Forgery via malicious HTTP headers. An attacker can inject arbitrary api_url values through the baggage header, causing the SDK to exfiltrate sensitive trace data to attacker-controlled endpoints. When using distributed tracing, the SDK parses incoming HTTP headers via RunTree.from_headers() in Python or RunTree.fromHeaders() in Typescript. The baggage header can contain replica configurations including api_url and api_key fields. Prior to the fix, these attacker-controlled values were accepted without validation. When a traced operation completes, the SDK's post() and patch() methods send run data to all configured replica URLs, including any injected by an attacker. This vulnerability is fixed in version 0.6.3 of the Python SDK and 0.4.6 of the JavaScript SDK.
References
security-advisories@github.comhttps://github.com/langchain-ai/langsmith-sdk/security/advisories/GHSA-v34v-rq6j-cj6p
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "LangSmith Client SDKs provide SDK\u0027s for interacting with the LangSmith platform. The LangSmith SDK\u0027s distributed tracing feature is vulnerable to Server-Side Request Forgery via malicious HTTP headers. An attacker can inject arbitrary api_url values through the baggage header, causing the SDK to exfiltrate sensitive trace data to attacker-controlled endpoints. When using distributed tracing, the SDK parses incoming HTTP headers via RunTree.from_headers() in Python or RunTree.fromHeaders() in Typescript. The baggage header can contain replica configurations including api_url and api_key fields. Prior to the fix, these attacker-controlled values were accepted without validation. When a traced operation completes, the SDK\u0027s post() and patch() methods send run data to all configured replica URLs, including any injected by an attacker. This vulnerability is fixed in version 0.6.3 of the Python SDK and  0.4.6 of the JavaScript SDK."
    },
    {
      "lang": "es",
      "value": "Los SDKs del cliente de LangSmith proporcionan SDKs para interactuar con la plataforma LangSmith. La caracter\u00edstica de trazado distribuido del SDK de LangSmith es vulnerable a la falsificaci\u00f3n de petici\u00f3n del lado del servidor a trav\u00e9s de encabezados HTTP maliciosos. Un atacante puede inyectar valores arbitrarios de api_url a trav\u00e9s del encabezado \u0027baggage\u0027, haciendo que el SDK exfiltre datos de traza sensibles a puntos finales controlados por el atacante. Al usar el trazado distribuido, el SDK analiza los encabezados HTTP entrantes a trav\u00e9s de RunTree.from_headers() en Python o RunTree.fromHeaders() en Typescript. El encabezado \u0027baggage\u0027 puede contener configuraciones de r\u00e9plica, incluyendo los campos api_url y api_key. Antes de la correcci\u00f3n, estos valores controlados por el atacante eran aceptados sin validaci\u00f3n. Cuando una operaci\u00f3n trazada se completa, los m\u00e9todos post() y patch() del SDK env\u00edan datos de ejecuci\u00f3n a todas las URLs de r\u00e9plica configuradas, incluyendo cualquiera inyectada por un atacante. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 0.6.3 del SDK de Python y 0.4.6 del SDK de JavaScript."
    }
  ],
  "id": "CVE-2026-25528",
  "lastModified": "2026-02-09T21:55:30.093",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-09T21:15:48.857",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/langchain-ai/langsmith-sdk/security/advisories/GHSA-v34v-rq6j-cj6p"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-918"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.