Berardinellidaniele

**Name of the Vulnerable Software and Affected Versions** LangSmith SDK Python versions prior to 0.8.0 LangSmith SDK JS/TS versions prior to 0.6.0 **Description** The prompt pull methods `pull prompt()` and `pull prompt commit()` in Python, and `pullPrompt()` and `pullPromptCommit()` in JS/TS, fetch and deserialize prompt manifests from the LangSmith Hub. These manifests can contain serialized LangChain objects and model configurations that influence runtime behavior. When pulling a public prompt using an `owner/name` identifier, the content is controlled by an external party. Prior versions of the SDK did not distinguish these public prompts from those within the caller's own organization, treating them as inert data rather than executable configuration. An attacker can publish a malicious prompt to the LangSmith Hub to affect applications that pull it. This can lead to Server-Side Request Forgery (SSRF), outbound request redirection, and interception of LLM traffic if the manifest configures an LLM client with an attacker-controlled `base url` or proxy. Additionally, it may allow prompt injection or behavior manipulation through attacker-controlled system messages or model parameters. The risk increases when `include model` is set to `True`, as it expands the deserialization allowlist to partner integration classes, or when `secrets from env` is enabled, allowing the reading of environment variables during deserialization. **Recommendations** Update LangSmith SDK Python to version 0.8.0 or later. Update LangSmith SDK JS/TS to version 0.6.0 or later. As a temporary mitigation, avoid pulling public prompts by `owner/name` from untrusted sources. Avoid using the `secrets from env` parameter when pulling untrusted prompts. Prefer setting `include model` to `false` when pulling prompts from sources outside the organization.