Description
LangChain is a framework for building LLM-powered applications. Prior to 1.1.14, the RecursiveUrlLoader class in @langchain/community is a web crawler that recursively follows links from a starting URL. Its preventOutside option (enabled by default) is intended to restrict crawling to the same site as the base URL. The implementation used String.startsWith() to compare URLs, which does not perform semantic URL validation. An attacker who controls content on a crawled page could include links to domains that share a string prefix with the target, causing the crawler to follow links to attacker-controlled or internal infrastructure. Additionally, the crawler performed no validation against private or reserved IP addresses. A crawled page could include links targeting cloud metadata services, localhost, or RFC 1918 addresses, and the crawler would fetch them without restriction. This vulnerability is fixed in 1.1.14.
Published: 2026-02-11
Score: 4.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SSRF Bypass allows attacker to reach internal or cloud metadata resources
Action: Apply patch
AI Analysis

Impact

The flaw resides in the RecursiveUrlLoader class of the @langchain/community component of the langchainjs framework. The loader’s preventOutside option, meant to confine the crawler to the same origin as the start URL, relies on a trivial String.startsWith() check for origin validation. This does not account for URL semantics, and it also fails to reject URLs that resolve to private or reserved IP addresses. An attacker who controls content on a page that the crawler visits can embed links that share a string prefix with the base URL yet point to attacker‑controlled domains or to internal infrastructure such as cloud metadata services or localhost. The crawler follows those links, causing a Server Side Request Forgery that can expose confidential data or provide a foothold into the target network. The CVSS score of 4.1 indicates moderate severity.

Affected Systems

langchain-ai’s langchainjs library includes the @langchain/community module with the RecursiveUrlLoader class. Versions older than 1.1.14 (1.1.13 and earlier) contain the SSRF bypass. Updated to 1.1.14 eliminates the flaw. The vulnerability affects applications built with Node.js that import @langchain/community and use RecursiveUrlLoader on URLs originating from or reachable through adversary-controlled content.

Risk and Exploitability

The vulnerability is a moderate‑severity SSRF flaw with a CVSS score of 4.1. The EPSS of less than 1% indicates a very low current likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The most likely attack path involves an attacker hosting a web page that the application’s crawler processes; by embedding malicious or internal links, the crawler would issue requests to private networks, RFC 1918 addresses, localhost, or cloud metadata endpoints with no restriction. If the application uses the crawler on arbitrary URLs supplied by or reachable from an attacker, the SSRF could be triggered with minimal prerequisites and provide access to internal resources.

Generated by OpenCVE AI on April 18, 2026 at 18:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade @langchain/community to version 1.1.14 or later to remove the vulnerability.
  • If an upgrade cannot be performed immediately, reconfigure the crawler to allow only explicitly whitelisted domains and reject any URL that resolves to a private or reserved IP address.
  • Deploy network‑level controls or firewall rules that block outbound HTTP/HTTPS traffic to internal IP ranges, RFC 1918 addresses, localhost, and cloud metadata service endpoints.

Generated by OpenCVE AI on April 18, 2026 at 18:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gf3v-fwqg-4vh7 @langchain/community affected by SSRF Bypass in RecursiveUrlLoader via insufficient URL origin validation
History

Thu, 19 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Langchain
Langchain langchain Community
CPEs cpe:2.3:a:langchain:langchain_community:*:*:*:*:*:node.js:*:*
Vendors & Products Langchain
Langchain langchain Community

Fri, 13 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 12 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Feb 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Langchain-ai
Langchain-ai langchainjs
Vendors & Products Langchain-ai
Langchain-ai langchainjs

Wed, 11 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Description LangChain is a framework for building LLM-powered applications. Prior to 1.1.14, the RecursiveUrlLoader class in @langchain/community is a web crawler that recursively follows links from a starting URL. Its preventOutside option (enabled by default) is intended to restrict crawling to the same site as the base URL. The implementation used String.startsWith() to compare URLs, which does not perform semantic URL validation. An attacker who controls content on a crawled page could include links to domains that share a string prefix with the target, causing the crawler to follow links to attacker-controlled or internal infrastructure. Additionally, the crawler performed no validation against private or reserved IP addresses. A crawled page could include links targeting cloud metadata services, localhost, or RFC 1918 addresses, and the crawler would fetch them without restriction. This vulnerability is fixed in 1.1.14.
Title @langchain/community affected by SSRF Bypass in RecursiveUrlLoader via insufficient URL origin validation
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 4.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N'}

Subscriptions

Langchain Langchain Community
Langchain-ai Langchainjs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-12T21:14:41.756Z

Reserved: 2026-02-09T21:36:29.554Z

Link: CVE-2026-26019

cve-icon Vulnrichment

Updated: 2026-02-12T21:14:39.007Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-11T22:15:51.910

Modified: 2026-02-19T19:25:25.940

Link: CVE-2026-26019

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-11T21:11:10Z

Links: CVE-2026-26019 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:15:06Z

Weaknesses