The Tattletale Header: SSRF in LangSmith SDK
Vulnerability ID: CVE-2026-25528
CVSS Score: 5.8
Published: 2026-02-09
A Server-Side Request Forgery (SSRF) vulnerability in the LangSmith SDK (Python and JS) allows attackers to exfiltrate sensitive LLM traces, including prompts and completions, by injecting a malicious W3C 'baggage' header. The vulnerability stems from an insecure implementation of distributed tracing that accepted logging destination URLs directly from incoming HTTP headers.
TL;DR
The LangSmith SDK blindly trusted the 'baggage' HTTP header, allowing attackers to define where trace data should be sent. By injecting a custom URL, an attacker can force your AI application to mirror all its internal thoughts, prompts, and PII directly to a server they control.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-918
- Attack Vector: Network
- CVSS Score: 5.8 (Medium)
- Impact: Sensitive Data Exfiltration
- Exploit Status: Poc Available
- Vulnerable Header: W3C Baggage (langsmith-replicas)
Affected Systems
- LangSmith SDK for Python (versions < 0.6.3)
- LangSmith SDK for JavaScript/TypeScript (versions < 0.4.6)
-
LangSmith Python SDK: >= 0.4.10, < 0.6.3 (Fixed in:
0.6.3) -
LangSmith JS SDK: < 0.4.6 (Fixed in:
0.4.6)
Mitigation Strategies
- Upgrade SDK to patched version
- Implement Egress Filtering (Allowlist outbound domains)
- WAF rules to strip unknown keys from 'baggage' headers
Remediation Steps:
- Identify all services using 'langsmith' Python or JS SDK.
- Update Python packages to version 0.6.3 or higher.
- Update Node.js packages to version 0.4.6 or higher.
- Restart services to apply changes.
References
Read the full report for CVE-2026-25528 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)