Vulnerability	Vulnerable Version
M Insertion of Sensitive Information into Log File langsmith is a Client library to connect to the LangSmith Observability and Evaluation Platform. Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File through the `Client` handling of events. An attacker can bypass redaction controls and exfiltrate LLM output by supplying streaming events with `kwargs` content that gets uploaded as part of a run. This leaks token-by-token model output into traced events, exposing prompt or response data to anyone with access to the stored run records. How to fix Insertion of Sensitive Information into Log File? Upgrade `langsmith` to version 0.5.19 or higher.	<0.5.19
M Prototype Pollution langsmith is a Client library to connect to the LangSmith Observability and Evaluation Platform. Affected versions of this package are vulnerable to Prototype Pollution via `constructor.prototype` in the `baseAssignValue()` function. An attacker can modify the `Object.prototype` by supplying specially crafted keys in processed data, potentially impacting all objects within the Node.js process. How to fix Prototype Pollution? Upgrade `langsmith` to version 0.5.18 or higher.	<0.5.18

Insertion of Sensitive Information into Log File

langsmith is a Client library to connect to the LangSmith Observability and Evaluation Platform.

Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File through the Client handling of events. An attacker can bypass redaction controls and exfiltrate LLM output by supplying streaming events with kwargs content that gets uploaded as part of a run. This leaks token-by-token model output into traced events, exposing prompt or response data to anyone with access to the stored run records.

How to fix Insertion of Sensitive Information into Log File?

Upgrade langsmith to version 0.5.19 or higher.

<0.5.19

Prototype Pollution

langsmith is a Client library to connect to the LangSmith Observability and Evaluation Platform.

Affected versions of this package are vulnerable to Prototype Pollution via constructor.prototype in the baseAssignValue() function. An attacker can modify the Object.prototype by supplying specially crafted keys in processed data, potentially impacting all objects within the Node.js process.

How to fix Prototype Pollution?

Upgrade langsmith to version 0.5.18 or higher.

<0.5.18

Go back to all versions of this package