Primary

Context

LangSmith SDK Output Redaction Bypass Vulnerability in JavaScript and Python SDKs

Vulnerability

A vulnerability exists in the LangSmith Client SDKs for JavaScript and Python, prior to the patched versions 0.5.19 and 0.7.31 respectively. The issue arises because the SDKs' output redaction controls do not apply to streaming token events. When a large language model (LLM) run generates streaming output, each token chunk is recorded as a new_token event with the raw token value, bypassing the redaction pipeline. This oversight can lead to sensitive LLM output being inadvertently stored in LangSmith, as the streamed content leaks through run events.

Impact

Exploitation of this vulnerability causes sensitive streamed content from LLM runs to be leaked via run events, undermining the output redaction controls that users may rely on to protect such information.

Remediation

Users can upgrade to version 0.5.19 of the JavaScript SDK or version 0.7.31 of the Python SDK to address this vulnerability.

Added: Apr 23, 2026, 2:29 AM

Updated: Apr 23, 2026, 2:29 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.4

remediation

0.0

relevance

6.5

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.4

remediation

0.0

relevance

6.5

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

LangSmith SDK Output Redaction Bypass Vulnerability in JavaScript and Python SDKs

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating