langsmith 0.4.60

Direct Vulnerabilities

Known vulnerabilities in the langsmith package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Deserialization of Untrusted Data langsmith is a Client library to connect to the LangSmith Observability and Evaluation Platform. Affected versions of this package are vulnerable to Deserialization of Untrusted Data when fetching and processing prompt manifests from external sources. An attacker can execute arbitrary code or manipulate application behavior by publishing a crafted prompt manifest that is deserialized without proper validation. This may lead to disclosure of sensitive information, redirection of outbound requests, or execution of attacker-supplied configuration. Note: This is only exploitable if the application pulls prompts by `owner/name` from untrusted or compromised accounts and uses the pulled prompt without independently validating its contents. How to fix Deserialization of Untrusted Data? Upgrade `langsmith` to version 0.8.0 or higher.	[,0.8.0)
M Insertion of Sensitive Information into Log File langsmith is a Client library to connect to the LangSmith Observability and Evaluation Platform. Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File through the `Client` handling of events. An attacker can bypass redaction controls and exfiltrate LLM output by supplying streaming events with `kwargs` content that gets uploaded as part of a run. This leaks token-by-token model output into traced events, exposing prompt or response data to anyone with access to the stored run records. How to fix Insertion of Sensitive Information into Log File? Upgrade `langsmith` to version 0.7.31 or higher.	[,0.7.31)
M Server-side Request Forgery (SSRF) langsmith is a Client library to connect to the LangSmith Observability and Evaluation Platform. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to the improper validation of `api_url` and `api_key` fields in baggage headers in `RunTree.from_headers()` and `RunTree.fromHeaders()` functions. An attacker can cause the exfiltration of sensitive trace data to attacker-controlled endpoints by injecting arbitrary `api_url` values through the baggage header, which are then used by the SDK to send run data to malicious URLs. Note: This issue affects applications, utilising `TracingMiddleware` and calling `RunTree.from_headers()` or `RunTree.fromHeaders()` with untrusted HTTP headers. How to fix Server-side Request Forgery (SSRF)? Upgrade `langsmith` to version 0.6.3 or higher.	[0.4.10,0.6.3)

Vulnerability

Vulnerable Version

Deserialization of Untrusted Data

langsmith is a Client library to connect to the LangSmith Observability and Evaluation Platform.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data when fetching and processing prompt manifests from external sources. An attacker can execute arbitrary code or manipulate application behavior by publishing a crafted prompt manifest that is deserialized without proper validation. This may lead to disclosure of sensitive information, redirection of outbound requests, or execution of attacker-supplied configuration.

Note:

This is only exploitable if the application pulls prompts by owner/name from untrusted or compromised accounts and uses the pulled prompt without independently validating its contents.

How to fix Deserialization of Untrusted Data?

Upgrade langsmith to version 0.8.0 or higher.

[,0.8.0)

Insertion of Sensitive Information into Log File

langsmith is a Client library to connect to the LangSmith Observability and Evaluation Platform.

Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File through the Client handling of events. An attacker can bypass redaction controls and exfiltrate LLM output by supplying streaming events with kwargs content that gets uploaded as part of a run. This leaks token-by-token model output into traced events, exposing prompt or response data to anyone with access to the stored run records.

How to fix Insertion of Sensitive Information into Log File?

Upgrade langsmith to version 0.7.31 or higher.

[,0.7.31)

Server-side Request Forgery (SSRF)

langsmith is a Client library to connect to the LangSmith Observability and Evaluation Platform.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) due to the improper validation of api_url and api_key fields in baggage headers in RunTree.from_headers() and RunTree.fromHeaders() functions. An attacker can cause the exfiltration of sensitive trace data to attacker-controlled endpoints by injecting arbitrary api_url values through the baggage header, which are then used by the SDK to send run data to malicious URLs.

Note:

This issue affects applications, utilising TracingMiddleware and calling RunTree.from_headers() or RunTree.fromHeaders() with untrusted HTTP headers.

How to fix Server-side Request Forgery (SSRF)?

Upgrade langsmith to version 0.6.3 or higher.

[0.4.10,0.6.3)

langsmith@0.4.60

Client library to connect to the LangSmith Observability and Evaluation Platform.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically