CVE-2026-40190

LangSmith Client SDKs has Prototype Pollution in langsmith-sdk via Incomplete `__proto__` Guard in Internal lodash `set()`

Assigner: GitHub_M
Reserved: 09.04.2026 Published: 10.04.2026 Updated: 10.04.2026

LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to 0.5.18, the LangSmith JavaScript/TypeScript SDK (langsmith) contains an incomplete prototype pollution fix in its internally vendored lodash set() utility. The baseAssignValue() function only guards against the proto key, but fails to prevent traversal via constructor.prototype. This allows an attacker who controls keys in data processed by the createAnonymizer() API to pollute Object.prototype, affecting all objects in the Node.js process. This vulnerability is fixed in 0.5.18.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
CVSS Score: 5.6

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	Low
User Interaction	None	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	langchain-ai
Product	langsmith-sdk
Versions	Version < 0.5.18 is affected

Vendor

langchain-ai

Product

langsmith-sdk

Versions

Version < 0.5.18 is affected

References

Problem Types

CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') CWE

CVE-2026-40190 PUBLISHED

LangSmith Client SDKs has Prototype Pollution in langsmith-sdk via Incomplete `proto` Guard in Internal lodash `set()`

Metrics

Product Status

References

Problem Types