Описание
A Server-Side Request Forgery (SSRF) vulnerability exists in the RequestsToolkit component of the langchain-community package (specifically, langchain_community.agent_toolkits.openapi.toolkit.RequestsToolkit) in langchain-ai/langchain version 0.0.27. This vulnerability occurs because the toolkit does not enforce restrictions on requests to remote internet addresses, allowing it to also access local addresses. As a result, an attacker could exploit this flaw to perform port scans, access local services, retrieve instance metadata from cloud environments (e.g., Azure, AWS), and interact with servers on the local network. This issue has been fixed in version 0.0.28.
A Server-Side Request Forgery (SSRF) flaw was found in the langchain-community package due to a lack of restriction enforcement on specific internet addresses. This flaw allows an attacker to access local services, conduct port scans, retrieve instance metadata, or interact with local network resources.
Отчет
No Red Hat products are impacted by this vulnerability as the affected package version is not used.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Lightspeed | openshift-lightspeed/lightspeed-service-api-rhel9 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/de-minimal-rhel8 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/de-minimal-rhel9 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/ee-supported-rhel8 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/ee-supported-rhel9 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/lightspeed-rhel8 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-24/platform-resource-runner-rhel8 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-25/aap-cloud-metrics-collector-rhel8 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-25/ansible-dev-tools-rhel8 | Not affected | ||
| Red Hat Ansible Automation Platform 2 | ansible-automation-platform-25/de-minimal-rhel8 | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
8.3 High
CVSS3
Связанные уязвимости
A Server-Side Request Forgery (SSRF) vulnerability exists in the RequestsToolkit component of the langchain-community package (specifically, langchain_community.agent_toolkits.openapi.toolkit.RequestsToolkit) in langchain-ai/langchain version 0.0.27. This vulnerability occurs because the toolkit does not enforce restrictions on requests to remote internet addresses, allowing it to also access local addresses. As a result, an attacker could exploit this flaw to perform port scans, access local services, retrieve instance metadata from cloud environments (e.g., Azure, AWS), and interact with servers on the local network. This issue has been fixed in version 0.0.28.
LangChain Community SSRF vulnerability exists in RequestsToolkit component
Уязвимость фреймворка для создания приложений на основе комбинирования языковах моделей (LLM) LangChain, связанная с недостаточной проверкой запросов на стороне сервера, позволяющая нарушителю осуществить SSRF-атаку
EPSS
8.3 High
CVSS3