Server-Side Request Forgery (SSRF) in LangChain - #VU126569

 

Server-Side Request Forgery (SSRF) in LangChain - #VU126569

Published: April 20, 2026


Vulnerability identifier: #VU126569
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-918
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: LangChain
Affected software:
LangChain

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose limited sensitive information.

The vulnerability exists due to server-side request forgery (SSRF) in the _url_to_size() helper when validating a URL and then fetching it with separate DNS resolution during image token counting. A remote attacker can use an attacker-controlled hostname with DNS rebinding to disclose limited sensitive information.

User interaction is required, and the issue is limited to blind probing based on timing or error behavior because fetched response content is not returned, logged, or otherwise exposed to the caller.


Remediation

Install security update from vendor's website.

Sources