langsmith 0.0.27

Direct Vulnerabilities

Known vulnerabilities in the langsmith package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Access of Resource Using Incompatible Type ('Type Confusion') langsmith is a Client library to connect to the LangSmith Observability and Evaluation Platform. Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') via the file attachments handling. An attacker can access local files on the server and have their contents uploaded to an external service by sending crafted HTTP requests that manipulate tracing-propagation headers. Note: This is only exploitable if the attacker can send HTTP requests to the server and has read access to the workspace where traces are stored. How to fix Access of Resource Using Incompatible Type ('Type Confusion')? Upgrade `langsmith` to version 0.8.18 or higher.	[,0.8.18)
H Deserialization of Untrusted Data langsmith is a Client library to connect to the LangSmith Observability and Evaluation Platform. Affected versions of this package are vulnerable to Deserialization of Untrusted Data when fetching and processing prompt manifests from external sources. An attacker can execute arbitrary code or manipulate application behavior by publishing a crafted prompt manifest that is deserialized without proper validation. This may lead to disclosure of sensitive information, redirection of outbound requests, or execution of attacker-supplied configuration. Note: This is only exploitable if the application pulls prompts by `owner/name` from untrusted or compromised accounts and uses the pulled prompt without independently validating its contents. How to fix Deserialization of Untrusted Data? Upgrade `langsmith` to version 0.8.0 or higher.	[,0.8.0)
M Insertion of Sensitive Information into Log File langsmith is a Client library to connect to the LangSmith Observability and Evaluation Platform. Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File through the `Client` handling of events. An attacker can bypass redaction controls and exfiltrate LLM output by supplying streaming events with `kwargs` content that gets uploaded as part of a run. This leaks token-by-token model output into traced events, exposing prompt or response data to anyone with access to the stored run records. How to fix Insertion of Sensitive Information into Log File? Upgrade `langsmith` to version 0.7.31 or higher.	[,0.7.31)

Vulnerability

Vulnerable Version

Access of Resource Using Incompatible Type ('Type Confusion')

langsmith is a Client library to connect to the LangSmith Observability and Evaluation Platform.

Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') via the file attachments handling. An attacker can access local files on the server and have their contents uploaded to an external service by sending crafted HTTP requests that manipulate tracing-propagation headers.

Note: This is only exploitable if the attacker can send HTTP requests to the server and has read access to the workspace where traces are stored.

How to fix Access of Resource Using Incompatible Type ('Type Confusion')?

Upgrade langsmith to version 0.8.18 or higher.

[,0.8.18)

Deserialization of Untrusted Data

langsmith is a Client library to connect to the LangSmith Observability and Evaluation Platform.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data when fetching and processing prompt manifests from external sources. An attacker can execute arbitrary code or manipulate application behavior by publishing a crafted prompt manifest that is deserialized without proper validation. This may lead to disclosure of sensitive information, redirection of outbound requests, or execution of attacker-supplied configuration.

Note:

This is only exploitable if the application pulls prompts by owner/name from untrusted or compromised accounts and uses the pulled prompt without independently validating its contents.

How to fix Deserialization of Untrusted Data?

Upgrade langsmith to version 0.8.0 or higher.

[,0.8.0)

Insertion of Sensitive Information into Log File

langsmith is a Client library to connect to the LangSmith Observability and Evaluation Platform.

Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File through the Client handling of events. An attacker can bypass redaction controls and exfiltrate LLM output by supplying streaming events with kwargs content that gets uploaded as part of a run. This leaks token-by-token model output into traced events, exposing prompt or response data to anyone with access to the stored run records.

How to fix Insertion of Sensitive Information into Log File?

Upgrade langsmith to version 0.7.31 or higher.

[,0.7.31)

langsmith@0.0.27

Client library to connect to the LangSmith Observability and Evaluation Platform.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically