langsmith is vulnerable to Cross-Site Scripting (XSS)
59
Medium Risk
The InsightsReport._repr_html_ method builds an HTML anchor for rich display (for example in Jupyter notebooks) by interpolating the report name and link fields directly into the returned markup without escaping. When a rendered report carries attacker-influenced content, the raw values break out of the anchor and inject arbitrary HTML and JavaScript that executes in the context of the page showing the representation. This stored cross-site scripting can run whenever the object's rich HTML representation is rendered. The fix wraps self.name and self.link in html.escape before embedding them.
You are affected if you are using a version that falls within the vulnerable range and you render InsightsReport objects containing attacker-influenced content in a notebook or other HTML-rendering environment.
langsmith is vulnerable to Cross-Site Scripting (XSS) in versions 0.4.42 - 0.10.0.
Upgrade the langsmith library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

I consent to receiving marketing communications based on Aikido’s Privacy Policy.
SOC 2Compliant
ISO 27001Compliant