{"data":{"id":"c1a405aa-3c42-4207-b47e-4454273b9bf8","title":"GHSA-fw9q-39r9-c252: LangSmith Client SDKs has Prototype Pollution in langsmith-sdk via Incomplete `__proto__` Guard in Internal lodash `set()`","summary":"The LangSmith JavaScript SDK contains a prototype pollution vulnerability (a type of attack where an attacker modifies the base object that all JavaScript objects inherit from) in its internal lodash `set()` function. The vulnerability exists because the code only blocks the `__proto__` key but allows attackers to bypass this protection using `constructor.prototype` instead, potentially affecting all objects in a Node.js application if they control data being processed by the `createAnonymizer()` API.","solution":"Fixed in version 0.5.18. Users should update their `langsmith` package to 0.5.18 or later.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-fw9q-39r9-c252","publishedAt":"2026-04-10T20:18:02.000Z","cveId":"CVE-2026-40190","cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":[],"issueType":"vulnerability","affectedPackages":["langsmith@<= 0.5.17 (fixed: 0.5.18)"],"affectedVendors":["LangChain"],"affectedVendorsRaw":["langsmith","langchain-ai/langsmith-sdk"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-04-10T20:18:02.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}