CVE-2026-25528
Awaiting Analysis Awaiting Analysis - Queue
Server-Side Request Forgery in LangSmith SDK Distributed Tracing

Publication date: 2026-02-09

Last updated on: 2026-02-09

Assigner: GitHub, Inc.

Description
LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. The LangSmith SDK's distributed tracing feature is vulnerable to Server-Side Request Forgery via malicious HTTP headers. An attacker can inject arbitrary api_url values through the baggage header, causing the SDK to exfiltrate sensitive trace data to attacker-controlled endpoints. When using distributed tracing, the SDK parses incoming HTTP headers via RunTree.from_headers() in Python or RunTree.fromHeaders() in Typescript. The baggage header can contain replica configurations including api_url and api_key fields. Prior to the fix, these attacker-controlled values were accepted without validation. When a traced operation completes, the SDK's post() and patch() methods send run data to all configured replica URLs, including any injected by an attacker. This vulnerability is fixed in version 0.6.3 of the Python SDK and 0.4.6 of the JavaScript SDK.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-09
Last Modified
2026-02-09
Generated
2026-06-16
AI Q&A
2026-02-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25528
EUVD
EUVD-2026-6847
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
langsmith python_sdk 0.6.3
langsmith javascript_sdk 0.4.6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The LangSmith Client SDKs have a vulnerability in their distributed tracing feature that allows Server-Side Request Forgery (SSRF) through malicious HTTP headers.

Specifically, an attacker can inject arbitrary api_url values via the baggage header, which the SDK uses to configure replica endpoints.

Because the SDK accepts these attacker-controlled values without validation, it can be tricked into sending sensitive trace data to attacker-controlled endpoints when a traced operation completes.

This occurs during the parsing of incoming HTTP headers by RunTree.from_headers() in Python or RunTree.fromHeaders() in Typescript, and the vulnerable versions are fixed in Python SDK 0.6.3 and JavaScript SDK 0.4.6.

Impact Analysis

This vulnerability can lead to the exfiltration of sensitive trace data to attacker-controlled endpoints.

An attacker exploiting this flaw can inject malicious URLs that cause the SDK to send confidential information outside the trusted environment.

Such data leakage can compromise the confidentiality of your system's internal operations and potentially expose sensitive information.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade the LangSmith SDKs to the fixed versions.

  • For the Python SDK, upgrade to version 0.6.3 or later.
  • For the JavaScript SDK, upgrade to version 0.4.6 or later.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25528. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart