Description
LangChain is a framework for building LLM-powered applications. Prior to version 1.1.8, a redirect-based Server-Side Request Forgery (SSRF) bypass exists in `RecursiveUrlLoader` in `@langchain/community`. The loader validates the initial URL but allows the underlying fetch to follow redirects automatically, which permits a transition from a safe public URL to an internal or metadata endpoint without revalidation. This is a bypass of the SSRF protections introduced in 1.1.14 (CVE-2026-26019). Users should upgrade to `@langchain/community` 1.1.18, which validates every redirect hop by disabling automatic redirects and re-validating `Location` targets before following them. In this version, automatic redirects are disabled (`redirect: "manual"`), each 3xx `Location` is resolved and validated with `validateSafeUrl()` before the next request, and a maximum redirect limit prevents infinite loops.
Published: 2026-02-25
Score: 4.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SSRF Bypass via Redirect Chaining
Action: Immediate Upgrade
AI Analysis

Impact

A redirect-based Server‑Side Request Forgery bypass exists in the RecursiveUrlLoader component of @langchain/community. The loader authenticates the initial URL but allows the underlying fetch call to follow HTTP redirects automatically without re‑validating each hop. This flaw enables a malicious actor to start from a seemingly safe public URL and be redirected to unsecured internal or metadata endpoints, potentially exposing sensitive data or internal services. The weakness is classified as CWE‑918.

Affected Systems

The vulnerability affects the LangChain Community package (langchain-ai:langchainjs) for Node.js. Versions prior to 1.1.8 are impacted. The fix was implemented in version 1.1.18, which validates every redirect target, disables automatic redirects, and enforces a strict redirect limit.

Risk and Exploitability

The severity is assessed with a CVSS score of 4.1, indicating moderate risk. The EPSS score is less than 1%, suggesting a low likelihood of exploitation at this time. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack vector is inferred to be application‑controlled HTTP requests that invoke RecursiveUrlLoader, allowing an attacker to supply crafted URLs or manipulate redirects to reach internal services.

Generated by OpenCVE AI on April 17, 2026 at 15:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade @langchain/community to version 1.1.18 or later, which disables automatic redirects and re‑validates each Location target before following it.
  • Verify that the application no longer uses older versions of RecursiveUrlLoader and that redirect options are set to "manual" if the loader is customized.
  • If an upgrade cannot be performed immediately, restrict outbound traffic from the application or filter URLs to prevent redirects to internal networks, ensuring that any redirect chains are blocked or sufficiently validated by custom application logic.

Generated by OpenCVE AI on April 17, 2026 at 15:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mphv-75cg-56wg LangChain Community: redirect chaining can lead to SSRF bypass via RecursiveUrlLoader
History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Langchain
Langchain langchain Community
CPEs cpe:2.3:a:langchain:langchain_community:*:*:*:*:*:node.js:*:*
Vendors & Products Langchain
Langchain langchain Community

Thu, 26 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Langchain-ai
Langchain-ai langchainjs
Vendors & Products Langchain-ai
Langchain-ai langchainjs

Thu, 26 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 25 Feb 2026 18:00:00 +0000

Type Values Removed Values Added
Description LangChain is a framework for building LLM-powered applications. Prior to version 1.1.8, a redirect-based Server-Side Request Forgery (SSRF) bypass exists in `RecursiveUrlLoader` in `@langchain/community`. The loader validates the initial URL but allows the underlying fetch to follow redirects automatically, which permits a transition from a safe public URL to an internal or metadata endpoint without revalidation. This is a bypass of the SSRF protections introduced in 1.1.14 (CVE-2026-26019). Users should upgrade to `@langchain/community` 1.1.18, which validates every redirect hop by disabling automatic redirects and re-validating `Location` targets before following them. In this version, automatic redirects are disabled (`redirect: "manual"`), each 3xx `Location` is resolved and validated with `validateSafeUrl()` before the next request, and a maximum redirect limit prevents infinite loops.
Title LangChain Community: redirect chaining can lead to SSRF bypass via RecursiveUrlLoader
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 4.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N'}

Subscriptions

Langchain Langchain Community
Langchain-ai Langchainjs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-25T18:42:52.277Z

Reserved: 2026-02-24T02:31:33.265Z

Link: CVE-2026-27795

cve-icon Vulnrichment

Updated: 2026-02-25T18:42:46.808Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T18:23:41.153

Modified: 2026-04-13T14:15:35.920

Link: CVE-2026-27795

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-25T17:30:01Z

Links: CVE-2026-27795 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:15:21Z

Weaknesses