5 matches found
GHSA-V34V-RQ6J-CJ6P LangSmith Client SDK Affected by Server-Side Request Forgery via Tracing Header Injection
Summary The LangSmith SDK's distributed tracing feature is vulnerable to Server-Side Request Forgery via malicious HTTP headers. An attacker can inject arbitrary apiurl values through the baggage header, causing the SDK to exfiltrate sensitive trace data to attacker-controlled endpoints. ---...
CVE-2026-25528
CVE-2026-25528 affects LangSmith Client SDKs with distributed tracing. The baggage header in HTTP requests could inject replica configurations (api_url/api_key), causing the SDK to send trace data to attacker-controlled endpoints via post()/patch() after a traced operation. Root cause: RunTree.fr...
CVE-2026-25528 LangSmith Client SDK Affected by Server-Side Request Forgery via Tracing Header Injection
LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. The LangSmith SDK's distributed tracing feature is vulnerable to Server-Side Request Forgery via malicious HTTP headers. An attacker can inject arbitrary apiurl values through the baggage header, causing the SDK to...
CVE-2026-25528 LangSmith Client SDK Affected by Server-Side Request Forgery via Tracing Header Injection
LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. The LangSmith SDK's distributed tracing feature is vulnerable to Server-Side Request Forgery via malicious HTTP headers. An attacker can inject arbitrary apiurl values through the baggage header, causing the SDK to...
CVE-2026-25528 LangSmith Client SDK Affected by Server-Side Request Forgery via Tracing Header Injection
LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. The LangSmith SDK's distributed tracing feature is vulnerable to Server-Side Request Forgery via malicious HTTP headers. An attacker can inject arbitrary apiurl values through the baggage header, causing the SDK to...