CVE-2026-25528
📋 TL;DR
The LangSmith SDK distributed tracing feature is vulnerable to Server-Side Request Forgery (SSRF) via malicious HTTP headers. Attackers can inject arbitrary api_url values through the baggage header, causing the SDK to exfiltrate sensitive trace data to attacker-controlled endpoints. This affects applications using LangSmith SDKs with distributed tracing enabled.
💻 Affected Systems
- LangSmith Python SDK
- LangSmith JavaScript/TypeScript SDK
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Sensitive trace data containing potentially confidential information is exfiltrated to attacker-controlled servers, leading to data breach and potential credential exposure.
Likely Case
Trace data containing API keys, configuration details, and operational metadata is sent to attacker endpoints, enabling reconnaissance and potential credential harvesting.
If Mitigated
With proper input validation and patching, the vulnerability is eliminated and no data exfiltration occurs.
🎯 Exploit Status
Exploitation requires the ability to send HTTP requests with malicious baggage headers to vulnerable endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Python SDK 0.6.3+, JavaScript SDK 0.4.6+
Vendor Advisory: https://github.com/langchain-ai/langsmith-sdk/security/advisories/GHSA-v34v-rq6j-cj6p
Restart Required: No
Instructions:
1. Update Python SDK: pip install --upgrade langsmith-sdk>=0.6.3
2. Update JavaScript SDK: npm update langsmith-sdk@^0.4.6
3. Verify no breaking changes in your application
4. Test distributed tracing functionality
🔧 Temporary Workarounds
Disable distributed tracing
allTemporarily disable the vulnerable distributed tracing feature until patching is possible.
Configure application to not use RunTree.from_headers() or RunTree.fromHeaders() methods
Input validation middleware
allImplement middleware to sanitize or block baggage headers containing api_url or api_key fields.
Implement HTTP header validation in your application framework
🧯 If You Can't Patch
- Implement WAF rules to block or sanitize baggage headers containing api_url or api_key parameters
- Monitor outbound traffic for connections to unexpected domains from LangSmith SDK processes
🔍 How to Verify
Check if Vulnerable:
Check if your application uses LangSmith SDK with distributed tracing and verify SDK versions.Check Version:
Python: pip show langsmith-sdk | grep Version
JavaScript: npm list langsmith-sdkVerify Fix Applied:
Verify SDK versions are >=0.6.3 for Python or >=0.4.6 for JavaScript, and test that baggage headers with malicious api_url values are rejected.📡 Detection & Monitoring
Log Indicators:
- Unexpected outbound HTTP requests from LangSmith SDK to unfamiliar domains
- Failed trace submissions with invalid URL errors
Network Indicators:
- Outbound HTTP POST/PATCH requests from application to unexpected domains on port 443/80
- Traffic patterns showing data exfiltration to new endpoints
SIEM Query:
source="langsmith-sdk" AND (url="*malicious*" OR destination_ip NOT IN [allowed_ips])