Upstream information

CVE-2026-40190 at MITRE

Description

LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to 0.5.18, the LangSmith JavaScript/TypeScript SDK (langsmith) contains an incomplete prototype pollution fix in its internally vendored lodash set() utility. The baseAssignValue() function only guards against the __proto__ key, but fails to prevent traversal via constructor.prototype. This allows an attacker who controls keys in data processed by the createAnonymizer() API to pollute Object.prototype, affecting all objects in the Node.js process. This vulnerability is fixed in 0.5.18.

SUSE information

Overall state of this security issue: Does not affect SUSE products

This issue is currently rated as having critical severity.

CVSS v3 Scores
CVSS detail CNA (GitHub) National Vulnerability Database
Base Score 5.6 9.8
Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network Network
Attack Complexity High Low
Privileges Required None None
User Interaction None None
Scope Unchanged Unchanged
Confidentiality Impact Low High
Integrity Impact Low High
Availability Impact Low High
CVSSv3 Version 3.1 3.1
SUSE Bugzilla entry: 1262017 [NEW]

No SUSE Security Announcements cross referenced.


SUSE Timeline for this CVE

CVE page created: Sat Apr 11 00:11:28 2026
CVE page last modified: Wed Jul 8 11:52:05 2026