Описание
LangChain Community: redirect chaining can lead to SSRF bypass via RecursiveUrlLoader
Summary
A redirect-based Server-Side Request Forgery (SSRF) bypass exists in RecursiveUrlLoader in @langchain/community. The loader validates the initial URL but allows the underlying fetch to follow redirects automatically, which permits a transition from a safe public URL to an internal or metadata endpoint without revalidation. This is a bypass of the SSRF protections introduced in 1.1.14 (CVE-2026-26019).
Affected Component
- Package:
@langchain/community - Component:
RecursiveUrlLoader - Configuration:
preventOutside(default:true) is insufficient to prevent this bypass when redirects are followed automatically.
Description
RecursiveUrlLoader is a web crawler that recursively follows links from a starting URL. The existing SSRF mitigation validates the initial URL before fetching, but it does not re-validate when the request follows redirects. Because fetch follows redirects by default, an attacker can supply a public URL that passes validation and then redirects to a private network address, localhost, or cloud metadata endpoint.
This constitutes a “check‑then‑act” gap in the request lifecycle: the safety check occurs before the redirect chain is resolved, and the final destination is never validated.
Impact
If an attacker can influence content on a page being crawled (e.g., user‑generated content, untrusted external pages), they can cause the crawler to:
- Fetch cloud instance metadata (AWS, GCP, Azure), potentially exposing credentials or tokens
- Access internal services on private networks (
10.x,172.16.x,192.168.x) - Connect to localhost services
- Exfiltrate response data through attacker-controlled redirect chains
This is exploitable in any environment where RecursiveUrlLoader runs with access to internal networks or metadata services, which includes most cloud-hosted deployments.
Attack Scenario
- The crawler is pointed at a public URL that passes initial SSRF validation.
- That URL responds with a 3xx redirect to an internal target.
- The fetch follows the redirect automatically without revalidation.
- The crawler accesses the internal or metadata endpoint.
Example redirector:
Root Cause
- SSRF validation (
validateSafeUrl) is only performed on the initial URL. - Redirects are followed automatically by fetch (
redirect: "follow"default), so the request can change destinations without additional validation.
Resolution
Upgrade to @langchain/community >= 1.1.18, which validates every redirect hop by disabling automatic redirects and re-validating Location targets before following them.
- Automatic redirects are disabled (
redirect: "manual"). - Each 3xx
Locationis resolved and validated withvalidateSafeUrl()before the next request. - A maximum redirect limit prevents infinite loops.
Reources
- Original SSRF fix (CVE-2026-26019): enforced origin comparison and added initial URL validation
- https://github.com/langchain-ai/langchainjs/security/advisories/GHSA-gf3v-fwqg-4vh7
Ссылки
- https://github.com/langchain-ai/langchainjs/security/advisories/GHSA-gf3v-fwqg-4vh7
- https://github.com/langchain-ai/langchainjs/security/advisories/GHSA-mphv-75cg-56wg
- https://nvd.nist.gov/vuln/detail/CVE-2026-27795
- https://github.com/langchain-ai/langchainjs/pull/9990
- https://github.com/langchain-ai/langchainjs/commit/2812d2b2b9fd9343c4850e2ab906b8cf440975ee
- https://github.com/langchain-ai/langchainjs/commit/d5e3db0d01ab321ec70a875805b2f74aefdadf9d
- https://github.com/langchain-ai/langchainjs/releases/tag/%40langchain%2Fcommunity%401.1.14
- https://github.com/langchain-ai/langchainjs/releases/tag/%40langchain%2Fcommunity%401.1.18
Пакеты
@langchain/community
<= 1.1.17
1.1.18
Связанные уязвимости
LangChain is a framework for building LLM-powered applications. Prior to version 1.1.8, a redirect-based Server-Side Request Forgery (SSRF) bypass exists in `RecursiveUrlLoader` in `@langchain/community`. The loader validates the initial URL but allows the underlying fetch to follow redirects automatically, which permits a transition from a safe public URL to an internal or metadata endpoint without revalidation. This is a bypass of the SSRF protections introduced in 1.1.14 (CVE-2026-26019). Users should upgrade to `@langchain/community` 1.1.18, which validates every redirect hop by disabling automatic redirects and re-validating `Location` targets before following them. In this version, automatic redirects are disabled (`redirect: "manual"`), each 3xx `Location` is resolved and validated with `validateSafeUrl()` before the next request, and a maximum redirect limit prevents infinite loops.
LangChain is a framework for building LLM-powered applications. Prior to version 1.1.8, a redirect-based Server-Side Request Forgery (SSRF) bypass exists in `RecursiveUrlLoader` in `@langchain/community`. The loader validates the initial URL but allows the underlying fetch to follow redirects automatically, which permits a transition from a safe public URL to an internal or metadata endpoint without revalidation. This is a bypass of the SSRF protections introduced in 1.1.14 (CVE-2026-26019). Users should upgrade to `@langchain/community` 1.1.18, which validates every redirect hop by disabling automatic redirects and re-validating `Location` targets before following them. In this version, automatic redirects are disabled (`redirect: "manual"`), each 3xx `Location` is resolved and validated with `validateSafeUrl()` before the next request, and a maximum redirect limit prevents infinite loops.