Langsmith 0.3.79 Has 5 CVEs. Here's What Actually Breaks.
You upgraded LangSmith to 0.3.79. Now your security scanner screams: 5 vulnerabilities. Highest severity: 9.8.
Your first instinct: panic-upgrade. Your second: ignore it because "it's just the client SDK."
Both are wrong. Here's why.
The Problem
LangSmith is your LLM observability layer. It sends traces, logs, and evaluation data from your agents to LangSmith's platform. That 0.3.79.tgz tarball? It pulls in dependencies with known issues.
The 9.8 severity CVE? It's in undici — the HTTP client LangSmith uses internally. Undici had a request smuggling vulnerability that lets an attacker inject headers into your requests.
Sound familiar? This is the same class of bug that brought down major CDNs last year.
What actually happens:
Your Agent → LangSmith SDK → undici HTTP client → LangSmith API
↓
Attacker intercepts request
Injects malicious headers
Your trace data is compromised
But here's the kicker: you probably don't call undici directly. It's buried three layers deep in LangSmith's dependency tree. Your package-lock.json has it locked at a vulnerable version, and npm audit can't fix it without a transitive update.
The Three Things That Actually Break
1. Request Smuggling (CVE-2024-30260 — 9.8)
An attacker can craft a malicious response that poisons subsequent requests. If you're running LangSmith in a shared process space (like a Next.js serverless function), one compromised trace can leak another user's data.
Real-world impact: Your customer support agent sends a user's PII to LangSmith. Attacker intercepts the connection, injects headers, and now they're reading someone else's session data.
2. HTTP Request Splitting (CVE-2024-30261 — 7.5)
Same family. Different angle. Attacker terminates your request early, appends a fake one. Now LangSmith thinks your agent called a tool it never did.
This sucks for debugging: You look at your trace, see a tool call you never made, and spend hours trying to reproduce it. It's not a bug — it's an exploit.
3. Memory Exposure (CVE-2024-30262 — 6.5)
Undici leaks heap memory under specific conditions. Your agent runs fine for hours, then OOMs. You blame the LLM. You blame the context window. You add more memory.
Guess what happens next? It OOMs again. Because the leak is in the tracing layer, not the agent.
The Manual Fix (No TracePilot)
You have two options:
Option A: Force LangSmith to use a patched undici
npm install undici@6.6.2
Then add an override to your package.json:
{
"overrides": {
"undici": "6.6.2"
}
}
Run npm install again. Verify:
npm ls undici
# → should show 6.6.2
Option B: Pin LangSmith to a known-safe version
Check LangSmith's changelog. If 0.3.80 or later fixed the dependency, bump:
npm install langsmith@0.3.82
Option C: If you can't upgrade (legacy, compliance, etc.)
Patch the vulnerable file directly. Find it:
find node_modules/undici -name "*.js" | xargs grep -l "CRLF\|split\|smuggle"
Then manually replace the vulnerable parsing logic. Not fun. Works when you're stuck.
What TracePilot Does Differently
TracePilot doesn't use undici. We built our ingestion pipeline on raw Node.js http module with strict header validation. No transitive HTTP client dependencies.
One line change to swap LangSmith for TracePilot:
// Before
import { Client } from 'langsmith';
const ls = new Client({ apiKey: process.env.LANGSMITH_API_KEY });
// After
import { TracePilot } from 'tracepilot-sdk';
const tp = new TracePilot(process.env.TRACEPILOT_API_KEY);
That's it. Same tracing capabilities. Zero CVEs in the HTTP layer.
But here's the real win: TracePilot captures every LLM call, every tool invocation, every token spent — and surfaces them in a live dashboard. When something breaks, you don't grep logs. You open the trace, fork the execution at the failing step, edit the prompt, and replay.
No redeployment. No "works on my machine."
The Hook
You've got 5 CVEs sitting in your production agent right now. One of them is a 9.8. Your security team is going to ask about it.
You can patch it. You can override it. Or you can swap the tracing layer for one that doesn't have this problem in the first place.
TracePilot gives you the same observability — plus time-travel debugging — without the baggage.
Get a free API key. Fork your first failing trace in under 5 minutes.
Or keep fighting with undici overrides. Your call.
Debugging AI agents shouldn't feel like reading The Matrix.
Join other engineers who are building reliable autonomous workflows in our community: TracePilot Discord
Top comments (0)