CVE-2026-25528 Overview
CVE-2026-25528 is a Server-Side Request Forgery (SSRF) vulnerability in the LangSmith Client SDKs that allows attackers to exfiltrate sensitive trace data to attacker-controlled endpoints. The vulnerability exists in the distributed tracing feature where malicious HTTP headers can inject arbitrary api_url values through the baggage header, causing the SDK to send sensitive information to unauthorized destinations.
Critical Impact
Attackers can intercept and exfiltrate sensitive trace data including API keys and runtime information by injecting malicious replica configurations through HTTP headers.
Affected Products
- LangSmith Python SDK versions prior to 0.6.3
- LangSmith JavaScript/TypeScript SDK versions prior to 0.4.6
Discovery Timeline
- 2026-02-09 - CVE CVE-2026-25528 published to NVD
- 2026-02-09 - Last updated in NVD database
Technical Details for CVE-2026-25528
Vulnerability Analysis
This SSRF vulnerability affects the distributed tracing functionality within the LangSmith SDK. When applications utilize distributed tracing, the SDK parses incoming HTTP headers through RunTree.from_headers() in Python or RunTree.fromHeaders() in TypeScript. The vulnerability stems from insufficient validation of the baggage header, which can contain replica configurations including api_url and api_key fields.
Prior to the security fix, these attacker-controlled values were accepted without proper validation. When a traced operation completes, the SDK's post() and patch() methods automatically send run data to all configured replica URLs, including any malicious endpoints injected by an attacker. This creates a data exfiltration channel where sensitive trace information, potentially including API keys and application runtime data, can be siphoned to attacker-controlled servers.
The vulnerability is classified under CWE-918 (Server-Side Request Forgery), as it allows attackers to manipulate server-side requests to arbitrary destinations.
Root Cause
The root cause of this vulnerability is the lack of input validation on the api_url parameter parsed from the HTTP baggage header. The SDK trusted user-supplied header values and used them directly to configure replica endpoints without sanitization or allowlist validation. This design flaw allowed external attackers to inject arbitrary URLs into the SDK's replica configuration system.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by crafting malicious HTTP requests containing a specially crafted baggage header with attacker-controlled api_url values. When the target application processes these requests using the vulnerable SDK's distributed tracing feature, the injected URLs are added to the replica configuration.
The exploitation mechanism works as follows: the attacker sends HTTP requests with a manipulated baggage header to a service using the LangSmith SDK. The SDK's header parsing functions extract the malicious replica configuration. When traced operations complete, the SDK sends trace data to all replica endpoints, including the attacker's server. This allows passive exfiltration of sensitive operational data without requiring direct access to the target system.
Detection Methods for CVE-2026-25528
Indicators of Compromise
- Unexpected outbound HTTP connections from services using LangSmith SDK to unfamiliar external endpoints
- Unusual baggage header values in incoming HTTP requests containing external URLs
- Trace data appearing in logs destined for non-standard API endpoints
- Network traffic patterns showing data exfiltration to unknown domains
Detection Strategies
- Monitor network egress traffic for connections to unexpected external endpoints from LangSmith-enabled services
- Implement HTTP header inspection rules to detect suspicious baggage headers with external URL patterns
- Deploy application-layer monitoring to identify anomalous replica configurations
- Review LangSmith SDK configuration logs for unexpected api_url entries
Monitoring Recommendations
- Enable verbose logging on LangSmith SDK operations to capture replica configuration changes
- Implement network segmentation and egress filtering to restrict outbound connections from tracing services
- Deploy SIEM rules to correlate unusual HTTP header patterns with subsequent outbound connections
- Establish baseline network behavior for services using distributed tracing to identify anomalies
How to Mitigate CVE-2026-25528
Immediate Actions Required
- Upgrade the LangSmith Python SDK to version 0.6.3 or later immediately
- Upgrade the LangSmith JavaScript/TypeScript SDK to version 0.4.6 or later immediately
- Audit network logs for any suspicious outbound connections from affected services
- Review and restrict network egress policies for services utilizing distributed tracing
Patch Information
The vulnerability has been addressed in LangSmith Python SDK version 0.6.3 and JavaScript SDK version 0.4.6. These patched versions implement proper validation of replica configurations parsed from HTTP headers, preventing injection of arbitrary api_url values. For detailed information about the fix, refer to the GitHub Security Advisory.
Workarounds
- Implement network-level egress filtering to restrict outbound connections to only known LangSmith API endpoints
- Deploy a reverse proxy or WAF rule to sanitize or block suspicious baggage headers before they reach the application
- Temporarily disable distributed tracing features if patching cannot be performed immediately
- Use network segmentation to isolate services running vulnerable SDK versions from external network access
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
