CVE-2026-25528 in langsmith-sdk
Summary
by MITRE • 02/09/2026
LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. The LangSmith SDK's distributed tracing feature is vulnerable to Server-Side Request Forgery via malicious HTTP headers. An attacker can inject arbitrary api_url values through the baggage header, causing the SDK to exfiltrate sensitive trace data to attacker-controlled endpoints. When using distributed tracing, the SDK parses incoming HTTP headers via RunTree.from_headers() in Python or RunTree.fromHeaders() in Typescript. The baggage header can contain replica configurations including api_url and api_key fields. Prior to the fix, these attacker-controlled values were accepted without validation. When a traced operation completes, the SDK's post() and patch() methods send run data to all configured replica URLs, including any injected by an attacker. This vulnerability is fixed in version 0.6.3 of the Python SDK and 0.4.6 of the JavaScript SDK.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/09/2026
The vulnerability described in CVE-2026-25528 represents a critical server-side request forgery weakness within the LangSmith Client SDKs that affects both Python and JavaScript implementations. This security flaw resides in the distributed tracing functionality of the LangSmith platform, which is designed to enable comprehensive monitoring and debugging of language model applications. The vulnerability specifically targets the handling of HTTP headers during trace propagation, creating a pathway for malicious actors to manipulate the tracing infrastructure and potentially exfiltrate sensitive operational data.
The technical exploitation of this vulnerability occurs through manipulation of the baggage header field within HTTP requests, which is used by the SDK to propagate tracing context across distributed systems. When the SDK processes incoming requests containing maliciously crafted baggage headers, it fails to validate the api_url values that may be embedded within these headers. The RunTree.from_headers() method in Python and RunTree.fromHeaders() in TypeScript serve as the primary entry points where this validation gap exists. These methods parse the baggage header contents without proper sanitization, allowing attacker-controlled api_url values to be accepted and subsequently processed as legitimate configuration parameters.
The operational impact of this vulnerability extends beyond simple data exfiltration, as it fundamentally compromises the integrity and confidentiality of distributed tracing operations within applications using LangSmith SDKs. When a traced operation completes, the SDK's post() and patch() methods execute against all configured replica URLs, including those injected by attackers through the manipulated baggage header. This creates a scenario where sensitive trace data, potentially containing user information, application logic, or system configurations, can be redirected to attacker-controlled endpoints without proper authorization. The vulnerability affects any application that relies on LangSmith's distributed tracing capabilities and has not been updated to versions 0.6.3 for Python or 0.4.6 for JavaScript.
This vulnerability aligns with CWE-918, which describes Server-Side Request Forgery vulnerabilities that occur when applications fail to validate or sanitize user-supplied URLs used in HTTP requests. The attack pattern follows the ATT&CK technique T1566.002 for Phishing via Service Provider, as attackers could potentially use this vulnerability to redirect trace data to malicious endpoints while maintaining operational stealth. The flaw demonstrates poor input validation practices and inadequate security controls around distributed tracing mechanisms, which are increasingly critical as organizations deploy more complex microservices architectures. Organizations using LangSmith SDKs should immediately implement the patched versions to prevent potential data leakage and ensure the integrity of their distributed tracing infrastructure.
The fix implemented in versions 0.6.3 and 0.4.6 addresses the core validation issue by introducing proper sanitization of api_url values extracted from baggage headers. This remediation ensures that only legitimate, validated URLs are accepted as replica endpoints during trace propagation, preventing the injection of attacker-controlled values that could compromise system security. The solution demonstrates the importance of validating all inputs in distributed systems and implementing proper access controls around tracing configuration parameters to maintain the security posture of modern application monitoring infrastructures.