{"slug": "langsmith-0-3-79-has-5-cves-here-s-what-actually-breaks", "title": "Langsmith 0.3.79 Has 5 CVEs. Here's What Actually Breaks.", "summary": "LangSmith version 0.3.79 contains 5 CVEs, including a 9.8 severity request smuggling vulnerability in the undici HTTP client. The flaw allows attackers to inject malicious headers, potentially compromising trace data and leaking PII in shared environments like Next.js serverless functions. Developers can patch by upgrading undici to 6.6.2 or switching to TracePilot, which avoids the vulnerable dependency.", "body_md": "You upgraded LangSmith to `0.3.79`\n\n. Now your security scanner screams: **5 vulnerabilities. Highest severity: 9.8.**\n\nYour first instinct: panic-upgrade. Your second: ignore it because \"it's just the client SDK.\"\n\nBoth are wrong. Here's why.\n\nLangSmith is your LLM observability layer. It sends traces, logs, and evaluation data from your agents to LangSmith's platform. That `0.3.79.tgz`\n\ntarball? It pulls in dependencies with known issues.\n\nThe 9.8 severity CVE? It's in `undici`\n\n— the HTTP client LangSmith uses internally. Undici had a [request smuggling vulnerability](https://github.com/nodejs/undici/security/advisories/GHSA-3g92-w8c5-73pq) that lets an attacker inject headers into your requests.\n\nSound familiar? This is the same class of bug that brought down major CDNs last year.\n\n**What actually happens:**\n\n```\nYour Agent → LangSmith SDK → undici HTTP client → LangSmith API\n                                      ↓\n                         Attacker intercepts request\n                         Injects malicious headers\n                         Your trace data is compromised\n```\n\nBut here's the kicker: you probably don't call `undici`\n\ndirectly. It's buried three layers deep in LangSmith's dependency tree. Your `package-lock.json`\n\nhas it locked at a vulnerable version, and `npm audit`\n\ncan't fix it without a transitive update.\n\nAn attacker can craft a malicious response that poisons subsequent requests. If you're running LangSmith in a shared process space (like a Next.js serverless function), one compromised trace can leak another user's data.\n\n**Real-world impact:** Your customer support agent sends a user's PII to LangSmith. Attacker intercepts the connection, injects headers, and now they're reading someone else's session data.\n\nSame family. Different angle. Attacker terminates your request early, appends a fake one. Now LangSmith thinks your agent called a tool it never did.\n\n**This sucks for debugging:** You look at your trace, see a tool call you never made, and spend hours trying to reproduce it. It's not a bug — it's an exploit.\n\nUndici leaks heap memory under specific conditions. Your agent runs fine for hours, then OOMs. You blame the LLM. You blame the context window. You add more memory.\n\n**Guess what happens next?** It OOMs again. Because the leak is in the tracing layer, not the agent.\n\nYou have two options:\n\n```\nnpm install undici@6.6.2\n```\n\nThen add an override to your `package.json`\n\n:\n\n```\n{\n  \"overrides\": {\n    \"undici\": \"6.6.2\"\n  }\n}\n```\n\nRun `npm install`\n\nagain. Verify:\n\n```\nnpm ls undici\n# → should show 6.6.2\n```\n\nCheck LangSmith's changelog. If `0.3.80`\n\nor later fixed the dependency, bump:\n\n```\nnpm install langsmith@0.3.82\n```\n\nPatch the vulnerable file directly. Find it:\n\n```\nfind node_modules/undici -name \"*.js\" | xargs grep -l \"CRLF\\|split\\|smuggle\"\n```\n\nThen manually replace the vulnerable parsing logic. Not fun. Works when you're stuck.\n\nTracePilot doesn't use `undici`\n\n. We built our ingestion pipeline on raw Node.js `http`\n\nmodule with strict header validation. No transitive HTTP client dependencies.\n\n**One line change to swap LangSmith for TracePilot:**\n\n``` js\n// Before\nimport { Client } from 'langsmith';\nconst ls = new Client({ apiKey: process.env.LANGSMITH_API_KEY });\n\n// After\nimport { TracePilot } from 'tracepilot-sdk';\nconst tp = new TracePilot(process.env.TRACEPILOT_API_KEY);\n```\n\nThat's it. Same tracing capabilities. Zero CVEs in the HTTP layer.\n\nBut here's the real win: TracePilot captures every LLM call, every tool invocation, every token spent — and surfaces them in a live dashboard. When something breaks, you don't grep logs. You open the trace, fork the execution at the failing step, edit the prompt, and replay.\n\n**No redeployment. No \"works on my machine.\"**\n\nYou've got 5 CVEs sitting in your production agent right now. One of them is a 9.8. Your security team is going to ask about it.\n\nYou can patch it. You can override it. Or you can swap the tracing layer for one that doesn't have this problem in the first place.\n\nTracePilot gives you the same observability — plus time-travel debugging — without the baggage.\n\n[Get a free API key](https://tracepilotai.com). Fork your first failing trace in under 5 minutes.\n\nOr keep fighting with `undici`\n\noverrides. Your call.\n\n**Debugging AI agents shouldn't feel like reading The Matrix.**\n\nJoin other engineers who are building reliable autonomous workflows in our community: [TracePilot Discord](https://discord.gg/KzXRAXFM8)", "url": "https://wpnews.pro/news/langsmith-0-3-79-has-5-cves-here-s-what-actually-breaks", "canonical_source": "https://dev.to/tracepilot_2841f1db6718a1/langsmith-0379-has-5-cves-heres-what-actually-breaks-4bn9", "published_at": "2026-06-15 15:21:47+00:00", "updated_at": "2026-06-15 15:36:37.337972+00:00", "lang": "en", "topics": ["ai-tools", "developer-tools", "ai-safety", "large-language-models", "ai-infrastructure"], "entities": ["LangSmith", "undici", "TracePilot", "Next.js", "Node.js"], "alternates": {"html": "https://wpnews.pro/news/langsmith-0-3-79-has-5-cves-here-s-what-actually-breaks", "markdown": "https://wpnews.pro/news/langsmith-0-3-79-has-5-cves-here-s-what-actually-breaks.md", "text": "https://wpnews.pro/news/langsmith-0-3-79-has-5-cves-here-s-what-actually-breaks.txt", "jsonld": "https://wpnews.pro/news/langsmith-0-3-79-has-5-cves-here-s-what-actually-breaks.jsonld"}}