Langsmith 0.3.79 Has 5 CVEs. Here's What Actually Breaks.

LangSmith version 0.3.79 contains 5 CVEs, including a 9.8 severity request smuggling vulnerability in the undici HTTP client. The flaw allows attackers to inject malicious headers, potentially compromising trace data and leaking PII in shared environments like Next.js serverless functions. Developers can patch by upgrading undici to 6.6.2 or switching to TracePilot, which avoids the vulnerable dependency.

You upgraded LangSmith to 0.3.79 . Now your security scanner screams: 5 vulnerabilities. Highest severity: 9.8. Your first instinct: panic-upgrade. Your second: ignore it because "it's just the client SDK." Both are wrong. Here's why. LangSmith is your LLM observability layer. It sends traces, logs, and evaluation data from your agents to LangSmith's platform. That 0.3.79.tgz tarball? It pulls in dependencies with known issues. The 9.8 severity CVE? It's in undici — the HTTP client LangSmith uses internally. Undici had a request smuggling vulnerability https://github.com/nodejs/undici/security/advisories/GHSA-3g92-w8c5-73pq that lets an attacker inject headers into your requests. Sound familiar? This is the same class of bug that brought down major CDNs last year. What actually happens: Your Agent → LangSmith SDK → undici HTTP client → LangSmith API ↓ Attacker intercepts request Injects malicious headers Your trace data is compromised But here's the kicker: you probably don't call undici directly. It's buried three layers deep in LangSmith's dependency tree. Your package-lock.json has it locked at a vulnerable version, and npm audit can't fix it without a transitive update. An attacker can craft a malicious response that poisons subsequent requests. If you're running LangSmith in a shared process space like a Next.js serverless function , one compromised trace can leak another user's data. Real-world impact: Your customer support agent sends a user's PII to LangSmith. Attacker intercepts the connection, injects headers, and now they're reading someone else's session data. Same family. Different angle. Attacker terminates your request early, appends a fake one. Now LangSmith thinks your agent called a tool it never did. This sucks for debugging: You look at your trace, see a tool call you never made, and spend hours trying to reproduce it. It's not a bug — it's an exploit. Undici leaks heap memory under specific conditions. Your agent runs fine for hours, then OOMs. You blame the LLM. You blame the context window. You add more memory. Guess what happens next? It OOMs again. Because the leak is in the tracing layer, not the agent. You have two options: npm install undici@6.6.2 Then add an override to your package.json : { "overrides": { "undici": "6.6.2" } } Run npm install again. Verify: npm ls undici → should show 6.6.2 Check LangSmith's changelog. If 0.3.80 or later fixed the dependency, bump: npm install langsmith@0.3.82 Patch the vulnerable file directly. Find it: find node modules/undici -name " .js" | xargs grep -l "CRLF\|split\|smuggle" Then manually replace the vulnerable parsing logic. Not fun. Works when you're stuck. TracePilot doesn't use undici . We built our ingestion pipeline on raw Node.js http module with strict header validation. No transitive HTTP client dependencies. One line change to swap LangSmith for TracePilot: js // Before import { Client } from 'langsmith'; const ls = new Client { apiKey: process.env.LANGSMITH API KEY } ; // After import { TracePilot } from 'tracepilot-sdk'; const tp = new TracePilot process.env.TRACEPILOT API KEY ; That's it. Same tracing capabilities. Zero CVEs in the HTTP layer. But here's the real win: TracePilot captures every LLM call, every tool invocation, every token spent — and surfaces them in a live dashboard. When something breaks, you don't grep logs. You open the trace, fork the execution at the failing step, edit the prompt, and replay. No redeployment. No "works on my machine." You've got 5 CVEs sitting in your production agent right now. One of them is a 9.8. Your security team is going to ask about it. You can patch it. You can override it. Or you can swap the tracing layer for one that doesn't have this problem in the first place. TracePilot gives you the same observability — plus time-travel debugging — without the baggage. Get a free API key https://tracepilotai.com . Fork your first failing trace in under 5 minutes. Or keep fighting with undici overrides. Your call. Debugging AI agents shouldn't feel like reading The Matrix. Join other engineers who are building reliable autonomous workflows in our community: TracePilot Discord https://discord.gg/KzXRAXFM8