Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
LangSmith Client SDK Affected by Server-Side Request Forgery via Tracing Header Injection
Vulnerability Description
LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. The LangSmith SDK's distributed tracing feature is vulnerable to Server-Side Request Forgery via malicious HTTP headers. An attacker can inject arbitrary api_url values through the baggage header, causing the SDK to exfiltrate sensitive trace data to attacker-controlled endpoints. When using distributed tracing, the SDK parses incoming HTTP headers via RunTree.from_headers() in Python or RunTree.fromHeaders() in Typescript. The baggage header can contain replica configurations including api_url and api_key fields. Prior to the fix, these attacker-controlled values were accepted without validation. When a traced operation completes, the SDK's post() and patch() methods send run data to all configured replica URLs, including any injected by an attacker. This vulnerability is fixed in version 0.6.3 of the Python SDK and 0.4.6 of the JavaScript SDK.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Vulnerability Type
服务端请求伪造(SSRF)
Vulnerability Title
LangSmith Client SDKs 代码问题漏洞
Vulnerability Description
LangSmith Client SDKs是LangChain开源的一个开发者工具包。 LangSmith Client SDKs 0.6.3之前版本和0.4.6之前版本存在代码问题漏洞,该漏洞源于分布式跟踪功能未验证HTTP标头,可能导致服务端请求伪造和敏感数据外泄。
CVSS Information
N/A
Vulnerability Type
N/A