Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
6Blast Radius
ecosystem impact- 5 npm packages depend on langsmith (5 direct, 2 indirect)
Ecosystem-wide dependent count for version 0.5.19.
DescriptionGitHub Advisory
LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to version 0.5.19 of the JavaScript SDK and version 0.7.31 of the Python SDK, the LangSmith SDK's output redaction controls (hideOutputs in JS, hide_outputs in Python) do not apply to streaming token events. When an LLM run produces streaming output, each chunk is recorded as a new_token event containing the raw token value. These events bypass the redaction pipeline entirely - prepareRunCreateOrUpdateInputs (JS) and _hide_run_outputs (Python) only process the inputs and outputs fields on a run, never the events array. As a result, applications relying on output redaction to prevent sensitive LLM output from being stored in LangSmith will still leak the full streamed content via run events. Version 0.5.19 of the JavaScript SDK and version 0.7.31 of the Python SDK fix the issue.
AnalysisAI
LangSmith Client SDKs in JavaScript (prior to 0.5.19) and Python (prior to 0.7.31) fail to apply output redaction controls to streaming token events, allowing sensitive LLM-generated content to leak into LangSmith platform storage despite hideOutputs/hide_outputs being enabled. Unauthenticated remote attackers can intercept or access unredacted streamed tokens if they gain visibility into run events, bypassing the intended confidentiality controls.
Technical ContextAI
The LangSmith SDKs implement output redaction through prepareRunCreateOrUpdateInputs (JavaScript) and _hide_run_outputs (Python) functions that sanitize the inputs and outputs fields on run objects before transmission to the LangSmith platform. However, when an LLM generates streaming output (common in modern LLM integrations), each token chunk is recorded as a separate new_token event appended to the events array within the run object. The redaction pipeline processes only the top-level inputs and outputs fields and completely bypasses the events array, causing raw token values to persist unredacted. This is fundamentally an information disclosure flaw (CWE-200) where trust boundaries fail - applications assume redaction applies uniformly across all output channels, but the streaming event path operates outside the redaction mechanism. The vulnerability affects the langsmith-sdk package across its Python and JavaScript implementations.
RemediationAI
Vendor-released patch: Upgrade to LangSmith JavaScript SDK version 0.5.19 or later, and Python SDK version 0.7.31 or later. Both versions restore redaction coverage to the events array, ensuring new_token events are processed through the redaction pipeline. Organizations should apply these upgrades immediately if they rely on the hideOutputs (JavaScript) or hide_outputs (Python) feature for compliance or data protection. No workarounds are available short of patching - disabling streaming integrations entirely would preserve redaction guarantees but is not practical for production LLM applications. Interim mitigations include restricting LangSmith workspace access via IAM, encrypting network traffic between SDK and LangSmith platform with TLS, and monitoring LangSmith workspace access logs for unexpected data access. See GitHub security advisory GHSA-rr7j-v2q5-chgv for detailed patch notes.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25152