24 matches found
Server-side Request Forgery (SSRF)
Overview @langchain/community is a Third-party integrations for LangChain.js Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the RecursiveUrlLoader class. An attacker can access internal network resources or sensitive cloud metadata by supplying a public U...
GHSA-MPHV-75CG-56WG LangChain Community: redirect chaining can lead to SSRF bypass via RecursiveUrlLoader
Summary A redirect-based Server-Side Request Forgery SSRF bypass exists in RecursiveUrlLoader in @langchain/community. The loader validates the initial URL but allows the underlying fetch to follow redirects automatically, which permits a transition from a safe public URL to an internal or metada...
LangChain Community: redirect chaining can lead to SSRF bypass via RecursiveUrlLoader
Summary A redirect-based Server-Side Request Forgery SSRF bypass exists in RecursiveUrlLoader in @langchain/community. The loader validates the initial URL but allows the underlying fetch to follow redirects automatically, which permits a transition from a safe public URL to an internal or metada...
CVE-2026-27795
LangChain is a framework for building LLM-powered applications. Prior to version 1.1.8, a redirect-based Server-Side Request Forgery SSRF bypass exists in RecursiveUrlLoader in @langchain/community. The loader validates the initial URL but allows the underlying fetch to follow redirects...
CVE-2026-27795 LangChain Community: redirect chaining can lead to SSRF bypass via RecursiveUrlLoader
LangChain is a framework for building LLM-powered applications. Prior to version 1.1.8, a redirect-based Server-Side Request Forgery SSRF bypass exists in RecursiveUrlLoader in @langchain/community. The loader validates the initial URL but allows the underlying fetch to follow redirects...
LangChain.js 代码问题漏洞
LangChain.js is an open-source implementation of a context-aware reasoning application developed by LangChain. Versions of LangChain.js prior to 1.1.8 contained code vulnerabilities. These vulnerabilities stemmed from the RecursiveUrlLoader component, which allowed unauthorized access to...
CVE-2026-26019
LangChain is a framework for building LLM-powered applications. Prior to 1.1.14, the RecursiveUrlLoader class in @langchain/community is a web crawler that recursively follows links from a starting URL. Its preventOutside option enabled by default is intended to restrict crawling to the same site...
CVE-2026-26019
CVE-2026-26019 affects the LangChain JS library (@langchain/community) before version 1.1.14, specifically the RecursiveUrlLoader. The cause is insufficient URL origin validation: it relied on String.startsWith() to compare URLs, failing to validate semantic origin and permitting crawling of atta...
CVE-2026-26019 @langchain/community affected by SSRF Bypass in RecursiveUrlLoader via insufficient URL origin validation
LangChain is a framework for building LLM-powered applications. Prior to 1.1.14, the RecursiveUrlLoader class in @langchain/community is a web crawler that recursively follows links from a starting URL. Its preventOutside option enabled by default is intended to restrict crawling to the same site...
CVE-2026-26019 @langchain/community affected by SSRF Bypass in RecursiveUrlLoader via insufficient URL origin validation
LangChain is a framework for building LLM-powered applications. Prior to 1.1.14, the RecursiveUrlLoader class in @langchain/community is a web crawler that recursively follows links from a starting URL. Its preventOutside option enabled by default is intended to restrict crawling to the same site...
LangChain 代码问题漏洞
LangChain is an open-source framework developed by LangChain for creating applications powered by large language models LLMs. Versions of LangChain prior to 1.1.14 contained code vulnerabilities. These vulnerabilities stemmed from insufficient URL validation in the RecursiveUrlLoader class within...
EUVD-2024-0652
Malicious code in bioql PyPI...
CVE-2024-0243
With the following crawler configuration: python from bs4 import BeautifulSoup as Soup url = "https://example.com" loader = RecursiveUrlLoader url=url, maxdepth=2, extractor=lambda x: Soupx, "html.parser".text docs = loader.load An attacker in control of the contents of https://example.com could...
CVE-2024-0243
With the following crawler configuration: python from bs4 import BeautifulSoup as Soup url = "https://example.com" loader = RecursiveUrlLoader url=url, maxdepth=2, extractor=lambda x: Soupx, "html.parser".text docs = loader.load An attacker in control of the contents of https://example.com could...
CVE-2024-0243 Server-side Request Forgery In Recursive URL Loader
With the following crawler configuration: python from bs4 import BeautifulSoup as Soup url = "https://example.com" loader = RecursiveUrlLoader url=url, maxdepth=2, extractor=lambda x: Soupx, "html.parser".text docs = loader.load An attacker in control of the contents of https://example.com could...
CVE-2024-0243 Server-side Request Forgery In Recursive URL Loader
With the following crawler configuration: python from bs4 import BeautifulSoup as Soup url = "https://example.com" loader = RecursiveUrlLoader url=url, maxdepth=2, extractor=lambda x: Soupx, "html.parser".text docs = loader.load An attacker in control of the contents of https://example.com could...
PT-2024-15407 · Langchain Ai · Langchain
Name of the Vulnerable Software and Affected Versions: langchain versions prior to the version that includes the fix from https://github.com/langchain-ai/langchain/pull/15559 Description: The issue arises when an attacker controls the contents of a website, such as https://example.com, and places...
GHSA-655W-FM8M-M478 LangChain Server Side Request Forgery vulnerability
LangChain before 0.0.317 allows SSRF via documentloaders/recursiveurlloader.py because crawling can proceed from an external server to an internal server...
CVE-2023-46229
LangChain before 0.0.317 allows SSRF via documentloaders/recursiveurlloader.py because crawling can proceed from an external server to an internal server...
CVE-2023-46229
LangChain before 0.0.317 allows SSRF via documentloaders/recursiveurlloader.py because crawling can proceed from an external server to an internal server...