Server-Side Request Forgery (SSRF) in langsmith
CVE-2026-25528
- langsmith
Summary
LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. The LangSmith SDK's distributed tracing feature is vulnerable to Server-Side Request Forgery (SSRF) via malicious HTTP headers. An attacker can inject arbitrary "api_url" values through the "baggage" header, causing the SDK to exfiltrate sensitive trace data to attacker-controlled endpoints. When using distributed tracing, the SDK parses incoming HTTP headers via "RunTree.from_headers()" in Python or "RunTree.fromHeaders()" in Typescript. The "baggage" header can contain replica configurations including "api_url" and "api_key" fields. Prior to the fix, these attacker-controlled values were accepted without validation. When a traced operation completes, the SDK's "post()" and "patch()" methods send run data to all configured replica URLs, including any injected by an attacker. This vulnerability affects Python SDK versions prior to 0.6.3 and JavaScript SDK versions prior to 0.4.6.
- LOW
- NETWORK
- NONE
- CHANGED
- NONE
- NONE
- LOW
- NONE
CWE-918 - Server-Side Request Forgery (SSRF)
Server-side request forgery (SSRF) is a weakness that allows an attacker to send an arbitrary request, making it appear that the request was sent by the server. This request may bypass a firewall that would normally prevent direct access to the URL. The impact of this vulnerability can vary from unauthorized access to files and sensitive information to remote code execution.
References
Advisory Timeline
- Published
