EUVD-2026-8697

LangChain Community: redirect chaining can lead to SSRF bypass via RecursiveUrlLoader...

CVE-2026-27795 LangChain Community: redirect chaining can lead to SSRF bypass via RecursiveUrlLoader

LangChain is a framework for building LLM-powered applications. Prior to version 1.1.8, a redirect-based Server-Side Request Forgery SSRF bypass exists in RecursiveUrlLoader in @langchain/community. The loader validates the initial URL but allows the underlying fetch to follow redirects...

CVE-2026-27795

CVE-2026-27795 concerns the LangChain JS community loader (RecursiveUrlLoader in @langchain/community). Prior to version 1.1.8, it could bypass SSRF protections by allowing automatic redirects after validating the initial URL, enabling a transition from a safe public URL to an internal/metadata e...

Server-side Request Forgery (SSRF)

Overview @langchain/core is a Core LangChain.js abstractions and schemas Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the RecursiveUrlLoader class. An attacker can access internal or sensitive resources by influencing crawled page content to include lin...

Server-side Request Forgery (SSRF)

Overview @langchain/community is a Third-party integrations for LangChain.js Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the RecursiveUrlLoader class. An attacker can access internal or sensitive resources by influencing crawled page content to include...

CVE-2026-26019

LangChain is a framework for building LLM-powered applications. Prior to 1.1.14, the RecursiveUrlLoader class in @langchain/community is a web crawler that recursively follows links from a starting URL. Its preventOutside option enabled by default is intended to restrict crawling to the same site...

CVE-2026-26019 @langchain/community affected by SSRF Bypass in RecursiveUrlLoader via insufficient URL origin validation

LangChain is a framework for building LLM-powered applications. Prior to 1.1.14, the RecursiveUrlLoader class in @langchain/community is a web crawler that recursively follows links from a starting URL. Its preventOutside option enabled by default is intended to restrict crawling to the same site...

GHSA-GF3V-FWQG-4VH7 @langchain/community affected by SSRF Bypass in RecursiveUrlLoader via insufficient URL origin validation

Description The RecursiveUrlLoader class in @langchain/community is a web crawler that recursively follows links from a starting URL. Its preventOutside option enabled by default is intended to restrict crawling to the same site as the base URL. The implementation used String.startsWith to compar...

@langchain/community affected by SSRF Bypass in RecursiveUrlLoader via insufficient URL origin validation

Description The RecursiveUrlLoader class in @langchain/community is a web crawler that recursively follows links from a starting URL. Its preventOutside option enabled by default is intended to restrict crawling to the same site as the base URL. The implementation used String.startsWith to compar...

PT-2026-7722

Name of the Vulnerable Software and Affected Versions LangChain versions prior to 1.1.14 Description The RecursiveUrlLoader class within the @langchain/community component is a web crawler that recursively follows links from a starting URL. The preventOutside option, intended to restrict crawling...