Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
LangChain Community: redirect chaining can lead to SSRF bypass via RecursiveUrlLoader
Vulnerability Description
LangChain is a framework for building LLM-powered applications. Prior to version 1.1.8, a redirect-based Server-Side Request Forgery (SSRF) bypass exists in `RecursiveUrlLoader` in `@langchain/community`. The loader validates the initial URL but allows the underlying fetch to follow redirects automatically, which permits a transition from a safe public URL to an internal or metadata endpoint without revalidation. This is a bypass of the SSRF protections introduced in 1.1.14 (CVE-2026-26019). Users should upgrade to `@langchain/community` 1.1.18, which validates every redirect hop by disabling automatic redirects and re-validating `Location` targets before following them. In this version, automatic redirects are disabled (`redirect: "manual"`), each 3xx `Location` is resolved and validated with `validateSafeUrl()` before the next request, and a maximum redirect limit prevents infinite loops.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
Vulnerability Type
服务端请求伪造(SSRF)
Vulnerability Title
LangChain.js 代码问题漏洞
Vulnerability Description
LangChain.js是LangChain开源的一个构建上下文感知推理应用程序。 LangChain.js 1.1.8之前版本存在代码问题漏洞,该漏洞源于RecursiveUrlLoader允许底层获取自动跟随重定向,可能导致服务端请求伪造攻击绕过。
CVSS Information
N/A
Vulnerability Type
N/A