CVE-2026-40190 is a medium-severity security vulnerability in langsmith (npm), affecting versions <= 0.5.17. It is fixed in 0.5.18.
GHSA-fw9q-39r9-c252: Prototype Pollution via Incomplete Lodash set() Guard in langsmith-sdk Severity: Medium (CVSS ~5.6) Status: Fixed in 0.5.18 Summary The LangSmith JavaScript/TypeScript SDK (langsmith) contains an incomplete prototype pollution fix in its internally vendored lodash set() utility. The baseAssignValue() function only guards against the proto key, but fails to prevent traversal via constructor.prototype. This allows an attacker who controls keys in data processed by the createAnonymizer() API to pollute Object.prototype, affecting all objects in the Node.js process. Affected Products | Product | Affected Versions | Component | |---------|-------------------|-----------| | langsmith (npm) | <= 0.5.17 | js/src/utils/lodash/baseAssignValue.ts, js/src/anonymizer/index.ts | | langchain-ai/langsmith-sdk | GitHub main branch (as of 2026-03-24) | JS/TypeScript SDK | Not affected: The Python SDK (langsmith on PyPI) does not use lodash or an equivalent pattern. Root Cause The SDK vendors an internal copy of lodash's set() function at js/src/utils/lodash/. The baseAssignValue() function at baseAssignValue.ts:11 implements a guard for prototype pollution: This blocks proto pollution but does not block the constructor.prototype traversal path. When set() is called with a path like "constructor.prototype.polluted": castPath() splits it into ["constructor", "prototype", "polluted"] baseSet() iterates: obj.constructor → Object → Object.prototype assignValue(Object.prototype, "polluted", value) calls baseAssignValue() Key is "polluted" (not "proto"), so the guard is bypassed Object.prototype.polluted = value, all objects are polluted Attack Vector via Anonymizer The createAnonymizer() API (importable as langsmith/anonymizer) processes data by: Extracting string nodes, extractStringNodes() walks an object recursively and builds dotted paths from keys Applying regex replacements, If a string value matches a configured pattern, the node is marked for update (anonymizer/index.ts:95) Writing back with set(), set(mutateValue, node.path, node.value) writes the replaced value back (anonymizer/index.ts:123) An attacker who controls keys in data being anonymized can construct a nested object where the path resolves to constructor.prototype.X: extractStringNodes() produces path "wrapper.constructor.prototype.isAdmin". When the replacement triggers and set() writes back, it traverses up to Object.prototype. Although createAnonymizer() uses deepClone() at anonymizer/index.ts:62 (JSON.parse(JSON.stringify(data))), the prototype chain traversal escapes the clone boundary because clone.wrapper.constructor resolves to the global Object constructor, not a cloned copy. Proof of Concept Impact Prototype pollution in a Node.js process can enable: Authentication bypass, if (user.isAdmin) checks succeed on all objects Remote Code Execution, Exploitable in template engines (Pug, EJS, Handlebars, Nunjucks) via polluted prototype properties that reach eval()/Function() sinks Denial of Service, Overwriting toString, valueOf, or hasOwnProperty on all objects Data exfiltration, Polluting serialization methods to inject attacker-controlled values Remediation In baseAssignValue.ts, extend the guard to cover constructor and prototype keys: As defense in depth, extractStringNodes() in anonymizer/index.ts should also sanitize or reject path segments matching constructor or prototype before passing them to set(). Timeline | Date | Event | |------|-------| | 2026-03-24 | Initial report submitted | | 2026-04-09 | Vendor confirmed; fixed in 0.5.18 | Credits Reported by: OneThing4101
CVE-2026-40190 has a CVSS score of 5.6 (Medium). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (0.5.18). Upgrading removes the vulnerable code path.
npm
langsmith (<= 0.5.17)langsmith → 0.5.18 (npm)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-40190 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-40190 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2026-40190 in your environment →Upgrade langsmith to 0.5.18 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-40190 is a medium-severity security vulnerability in langsmith (npm), affecting versions <= 0.5.17. It is fixed in 0.5.18.
CVE-2026-40190 has a CVSS score of 5.6 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
langsmith (npm) versions <= 0.5.17 is affected.
Yes. CVE-2026-40190 is fixed in 0.5.18. Upgrade to this version or later.
Whether CVE-2026-40190 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade langsmith to 0.5.18 or later.