Start your free trial today.

Protect your organization with cutting-edge cybersecurity solutions designed for resilience and efficiency. Secure your digital assets with confidence.

Your Shield Against Threats

Unleash the Power of Cybersecurity

Boost Your Security, Enhance Your Business

We solve Your Cyber Challenges

Quick Links

Resources

Deepaegis Portals

Vulnerability Advisory : LangSmith Client SDKs has Prototype Pollution in langsmith-sdk via Incomplete `proto` Guard in Internal lodash `set()` with HIGH Attack Complexity

Summary

LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to 0.5.18, the LangSmith JavaScript/TypeScript SDK (langsmith) contains an incomplete prototype pollution fix in its internally vendored lodash set() utility. The baseAssignValue() function only guards against the __proto__ key, but fails to prevent traversal via constructor.prototype. This allows an attacker who controls keys in data processed by the createAnonymizer() API to pollute Object.prototype, affecting all objects in the Node.js process. This vulnerability is fixed in 0.5.18.

Impact Assessment

Timeline

Published

April 10, 2026

Last Modified

April 10, 2026

Related Advisories

Vulnerability Advisory : LangSmith Client SDKs has Prototype Pollution in langsmith-sdk via Incomplete `__proto__` Guard in Internal lodash `set()` with HIGH Attack Complexity

Vulnerability Advisory : LangSmith Client SDKs has Prototype Pollution in langsmith-sdk via Incomplete `proto` Guard in Internal lodash `set()` with HIGH Attack Complexity