SCA: security update for langsmith (GHSA-v34v-rq6j-cj6p)

medium Tenable Cloud Security Plugin ID 437670

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. The LangSmith SDK's
distributed tracing feature is vulnerable to Server-Side Request Forgery via malicious HTTP headers. An
attacker can inject arbitrary api_url values through the baggage header, causing the SDK to exfiltrate
sensitive trace data to attacker-controlled endpoints. When using distributed tracing, the SDK parses
incoming HTTP headers via RunTree.from_headers() in Python or RunTree.fromHeaders() in Typescript. The
baggage header can contain replica configurations including api_url and api_key fields. Prior to the fix,
these attacker-controlled values were accepted without validation. When a traced operation completes, the
SDK's post() and patch() methods send run data to all configured replica URLs, including any injected by
an attacker. This vulnerability is fixed in version 0.6.3 of the Python SDK and 0.4.6 of the JavaScript
SDK. (CVE-2026-25528)

See Also

https://github.com/advisories/GHSA-v34v-rq6j-cj6p

Plugin Details

Severity: Medium

ID: 437670

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 2/10/2026

Updated: 6/30/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2026-25528

CVSS v3

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 5.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 2/9/2026

Vulnerability Publication Date: 2/9/2026

Reference Information

CVE: CVE-2026-25528

cwe: CWE-918