Full Report
Cybersecurity researchers have disclosed a now-patched security flaw in LangChain's LangSmith platform that could be exploited to capture sensitive data, including API keys and user prompts. The vulnerability, which carries a CVSS score of 8.8 out of a maximum of 10.0, has been codenamed AgentSmith by Noma Security. LangSmith is an observability and evaluation platform that allows users to
Analysis Summary
# Vulnerability: Data Exfiltration via Malicious Agents in LangChain LangSmith
## CVE Details
- CVE ID: Not explicitly provided in the context. (Referred to as "AgentSmith" vulnerability)
- CVSS Score: 8.8 (High)
- CWE: Not explicitly provided in the context, but related to insecure configuration/misuse of proxy features.
## Affected Systems
- Products: LangChain LangSmith platform, specifically agents utilizing the LangChain Hub and the Proxy Provider feature.
- Versions: Prior to the patch deployed on November 6, 2024.
- Configurations: Users adopting or "Try It"-ing an agent uploaded to LangChain Hub/Prompt Hub that was pre-configured with a malicious proxy server pointing to an attacker-controlled endpoint.
## Vulnerability Description
A critical vulnerability, dubbed AgentSmith, allowed an attacker to create and share an AI agent on LangChain Hub configured with a malicious proxy server via the Proxy Provider feature. When an unsuspecting user tests or clones this agent, all subsequent communications (prompts, uploaded documents, images, voice inputs), and importantly, included secrets like OpenAI API Keys, are stealthily routed through and exfiltrated to the attacker's controlled proxy server. This allows for credential theft, unauthorized use of victim APIs (leading to billing issues or resource exhaustion), and leakage of proprietary data/models if the agent is cloned into an enterprise environment.
## Exploitation
- Status: Proof of Concept/Mechanism described, suggesting active exploitation potential based on user adoption of malicious agents.
- Complexity: Low (Requires an attacker to upload a malicious agent, and a user must interact with it.)
- Attack Vector: Network (via interaction with the malicious agent service)
## Impact
- Confidentiality: High (Capture of API keys, user prompts, and documents/images)
- Integrity: High (Potential for unauthorized actions using exfiltrated API keys)
- Availability: Medium (Potential denial of service/quota exhaustion by consuming victim's API limits)
## Remediation
### Patches
- Backend fix deployed by LangChain on November 6, 2024.
- Patch includes implementing a warning prompt displayed to users when they attempt to clone an agent containing a custom proxy configuration.
### Workarounds
- Users should avoid testing or cloning agents from the LangChain Hub unless they are fully trusted.
- **Strict Control:** Users must review the agent configuration, specifically looking for custom proxy server settings, before usage or cloning, especially if the agent is from an untrusted source.
## Detection
- Indicators of Compromise: Unexpected charges or usage spikes on connected external API services (e.g., OpenAI). Suspicious network traffic originating from the LangSmith interaction environment if custom networking is used, though the primary vector is data exfiltration through trusted communication channels.
- Detection methods and tools: Inspect system configurations before adoption/cloning for any non-standard Model Server or Proxy Provider configurations present in the agent definition.
## References
- Vendor Advisory: LangChain/LangSmith (Reference suggests a fix was deployed on Nov 6, 2024)
- Research Report: Noma Security (defanged: //noma.security/blog/how-an-ai-agent-vulnerability-in-langsmith-could-lead-to-stolen-api-keys-and-hijacked-llm-responses/)