Moaaz-0X

**Name of the Vulnerable Software and Affected Versions** LangSmith SDK Python versions prior to 0.8.0 LangSmith SDK JS/TS versions prior to 0.6.0 **Description** The prompt pull methods `pull prompt()` and `pull prompt commit()` in Python, and `pullPrompt()` and `pullPromptCommit()` in JS/TS, fetch and deserialize prompt manifests from the LangSmith Hub. These manifests can contain serialized LangChain objects and model configurations that influence runtime behavior. When pulling a public prompt using an `owner/name` identifier, the content is controlled by an external party. Prior versions of the SDK did not distinguish these public prompts from those within the caller's own organization, treating them as inert data rather than executable configuration. An attacker can publish a malicious prompt to the LangSmith Hub to affect applications that pull it. This can lead to Server-Side Request Forgery (SSRF), outbound request redirection, and interception of LLM traffic if the manifest configures an LLM client with an attacker-controlled `base url` or proxy. Additionally, it may allow prompt injection or behavior manipulation through attacker-controlled system messages or model parameters. The risk increases when `include model` is set to `True`, as it expands the deserialization allowlist to partner integration classes, or when `secrets from env` is enabled, allowing the reading of environment variables during deserialization. **Recommendations** Update LangSmith SDK Python to version 0.8.0 or later. Update LangSmith SDK JS/TS to version 0.6.0 or later. As a temporary mitigation, avoid pulling public prompts by `owner/name` from untrusted sources. Avoid using the `secrets from env` parameter when pulling untrusted prompts. Prefer setting `include model` to `false` when pulling prompts from sources outside the organization.

**Name of the Vulnerable Software and Affected Versions** langchain versions prior to 0.3.27 **Description** LangChain contains runtime code paths that deserialize inputs, outputs, or other application-controlled payloads using overly broad object allowlists, specifically calling `load()` with `allowed objects="all"`. This allows attacker-supplied serialized constructor dictionaries to instantiate trusted classes with untrusted arguments. This issue can lead to Server-Side Request Forgery (SSRF), enabling access to internal services, cloud metadata endpoints, or sensitive network resources, which may result in credential theft and persistent supply-chain compromise. Applications are exposed if they accept untrusted structured input (such as JSON) without validation, preserve attacker-controlled nested dictionaries or lists in run data, and use affected API paths. Known affected surfaces include the `RunnableWithMessageHistory` class, the `astream log()` function, and the `astream events(version="v1")` function. Additionally, a secret-marker validation bypass in the ` is lc secret` function allows constructor dictionaries to avoid escaping during `dumps()` to `loads()` round-trips. **Recommendations** Update langchain to version 0.3.27. Migrate away from the deprecated `RunnableWithMessageHistory` class, `astream log()` function, and `astream events(version="v1")` function in favor of newer streaming and memory patterns, such as the `stream` API. Use `load()` and `loads()` only with trusted manifests or objects from trusted storage; do not pass user-controlled data to these functions. When using `load()` or `loads()`, provide a narrow `allowed objects` value instead of relying on broad defaults or `allowed objects="all"`.