LangSmith SDKs Server-Side Request Forgery Vulnerability via Tracing Header Injection

A Server-Side Request Forgery (SSRF) vulnerability has been identified in the LangSmith Client SDKs' distributed tracing feature. This issue allows attackers to inject arbitrary 'api_url' values through the 'baggage' header, leading the SDK to exfiltrate sensitive trace data to attacker-controlled endpoints. The vulnerability exists in the LangSmith SDKs for Python and JavaScript, affecting versions of the Python SDK prior to 0.6.3 and versions of the JavaScript SDK prior to 0.4.6. The issue arises because the SDK accepts unvalidated, attacker-controlled values in the 'baggage' header, which can include sensitive information such as LLM prompts, completions, and application metadata.

Impact

Exploitation of this vulnerability allows for data exfiltration of sensitive trace information, including LLM inputs, outputs, and metadata, to attacker-controlled servers. Additionally, it enables the server to send requests to arbitrary URLs, potentially targeting internal services.

Reproduction

To reproduce this vulnerability, send an HTTP request to a service using a vulnerable version of the LangSmith SDK with a malicious 'baggage' header. The header should include an 'api_url' pointing to an attacker-controlled endpoint. Once the header is processed by the SDK, the injected 'api_url' will be used to exfiltrate trace data to the attacker's server.

Remediation

Users can update to version 0.6.3 of the Python SDK or version 0.4.6 of the JavaScript SDK. If an immediate upgrade is not possible, the 'baggage' header can be stripped or validated before being passed to the header parsing functions. Additionally, avoid using 'TracingMiddleware' with untrusted traffic.