Vulnerability	Vulnerable Version
H Deserialization of Untrusted Data langsmith is a Client library to connect to the LangSmith Observability and Evaluation Platform. Affected versions of this package are vulnerable to Deserialization of Untrusted Data when fetching and processing prompt manifests from external sources. An attacker can execute arbitrary code or manipulate application behavior by publishing a crafted prompt manifest that is deserialized without proper validation. This may lead to disclosure of sensitive information, redirection of outbound requests, or execution of attacker-supplied configuration. Note: This is only exploitable if the application pulls prompts by `owner/name` from untrusted or compromised accounts and uses the pulled prompt without independently validating its contents. How to fix Deserialization of Untrusted Data? Upgrade `langsmith` to version 0.6.0 or higher.	<0.6.0

Deserialization of Untrusted Data

langsmith is a Client library to connect to the LangSmith Observability and Evaluation Platform.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data when fetching and processing prompt manifests from external sources. An attacker can execute arbitrary code or manipulate application behavior by publishing a crafted prompt manifest that is deserialized without proper validation. This may lead to disclosure of sensitive information, redirection of outbound requests, or execution of attacker-supplied configuration.

Note:

This is only exploitable if the application pulls prompts by owner/name from untrusted or compromised accounts and uses the pulled prompt without independently validating its contents.

How to fix Deserialization of Untrusted Data?

Upgrade langsmith to version 0.6.0 or higher.

<0.6.0

Go back to all versions of this package