The langchain-ai langsmith-sdk provides client SDKs for interacting with the LangSmith platform, including a distributed tracing feature that processes incoming HTTP headers to reconstruct trace data. Specifically, the SDK parses the baggage header, which can contain configuration parameters such as api_url and api_key for replica endpoints. In affected versions (>= 0.4.10 and < 0.6.3 for Python, and similarly for JavaScript), these parameters are accepted without validation. An attacker can craft malicious HTTP requests with a specially crafted baggage header containing arbitrary api_url values. When the traced operation completes, the SDK’s post() and patch() methods send run data to all configured replica URLs, including those injected by the attacker. This results in Server-Side Request Forgery (SSRF), where the SDK makes HTTP requests to attacker-controlled endpoints, potentially exfiltrating sensitive trace data. The vulnerability is classified as CWE-918 (SSRF). It affects confidentiality by leaking trace data but does not impact integrity or availability. The vulnerability is remotely exploitable without authentication or user interaction, increasing its risk. The issue was addressed in Python SDK version 0.6.3 and JavaScript SDK version 0.4.6 by validating or restricting the api_url values parsed from headers. No known active exploits have been reported, but the vulnerability’s nature warrants prompt remediation.

For European organizations, this vulnerability poses a risk of sensitive trace data leakage, which may include operational metadata, internal service endpoints, or other telemetry that could aid attackers in reconnaissance or further attacks. Organizations using the langsmith-sdk for distributed tracing in internal or customer-facing applications could inadvertently expose this data to malicious actors. Although the vulnerability does not directly compromise system integrity or availability, the confidentiality breach could violate data protection regulations such as GDPR if personal or sensitive information is included in traces. This could lead to regulatory penalties and reputational damage. Additionally, the SSRF could be leveraged as a pivot point for further internal network attacks if the attacker-controlled endpoints are used to probe or exploit internal services. The medium severity rating reflects moderate risk, but the ease of exploitation without authentication increases urgency for organizations relying on these SDK versions.

European organizations should immediately upgrade langsmith-sdk to at least version 0.6.3 for Python and 0.4.6 for JavaScript to ensure the vulnerability is patched. Until upgrades can be applied, organizations should implement strict network egress filtering to prevent the SDK from making outbound HTTP requests to untrusted or external endpoints, especially those not explicitly whitelisted. Monitoring and logging of outbound requests from applications using the SDK can help detect anomalous traffic indicative of exploitation attempts. Additionally, organizations should audit their use of distributed tracing and the baggage header to ensure that untrusted input is not accepted or propagated. Applying Web Application Firewall (WAF) rules to detect and block suspicious baggage header values may provide temporary mitigation. Finally, review trace data for any signs of exfiltration and conduct a security assessment of internal services exposed via tracing to identify any further risks.