CVE-2026-27795
Received Received - Intake
SSRF Redirect Bypass in LangChain RecursiveUrlLoader Prior to

Publication date: 2026-02-25

Last updated on: 2026-04-13

Assigner: GitHub, Inc.

Description
LangChain is a framework for building LLM-powered applications. Prior to version 1.1.8, a redirect-based Server-Side Request Forgery (SSRF) bypass exists in `RecursiveUrlLoader` in `@langchain/community`. The loader validates the initial URL but allows the underlying fetch to follow redirects automatically, which permits a transition from a safe public URL to an internal or metadata endpoint without revalidation. This is a bypass of the SSRF protections introduced in 1.1.14 (CVE-2026-26019). Users should upgrade to `@langchain/community` 1.1.18, which validates every redirect hop by disabling automatic redirects and re-validating `Location` targets before following them. In this version, automatic redirects are disabled (`redirect: "manual"`), each 3xx `Location` is resolved and validated with `validateSafeUrl()` before the next request, and a maximum redirect limit prevents infinite loops.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-04-13
Generated
2026-06-16
AI Q&A
2026-02-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27795
EUVD
EUVD-2026-8697
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
langchain langchain_community to 1.1.18 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-27795 is a Server-Side Request Forgery (SSRF) bypass vulnerability in the RecursiveUrlLoader component of the LangChainJS library (@langchain/community). The vulnerability occurs because the loader validates only the initial URL for safety but allows the underlying fetch operation to automatically follow HTTP redirects without revalidating each redirected URL. This means an attacker can provide a safe public URL that redirects to an internal or sensitive endpoint (such as private IP addresses or cloud metadata services), bypassing SSRF protections.'}, {'type': 'paragraph', 'content': "The root cause is a 'check-then-act' flaw where only the first URL is checked, but subsequent redirects are followed unchecked, potentially exposing internal network resources or sensitive metadata endpoints."}, {'type': 'paragraph', 'content': 'The issue was fixed by disabling automatic redirects and manually handling each redirect. Each redirect URL is validated with a function that blocks unsafe destinations, and a maximum redirect limit is enforced to prevent infinite loops.'}] [1, 2]

Impact Analysis

This vulnerability can allow an attacker to bypass SSRF protections and access internal or sensitive endpoints that should not be reachable from outside the network.

  • Exposure of sensitive data such as cloud instance metadata (e.g., AWS, GCP, Azure metadata endpoints).
  • Unauthorized access to internal network services running on private IP ranges (e.g., 10.x.x.x, 172.16.x.x, 192.168.x.x).
  • Potential disclosure of credentials or tokens obtained from internal or metadata endpoints.

The vulnerability is particularly critical in cloud-hosted environments where the RecursiveUrlLoader has network access to internal or metadata endpoints.

Compliance Impact

I don't know

Detection Guidance

Detection of this SSRF vulnerability involves monitoring the behavior of the RecursiveUrlLoader component in the @langchain/community package, specifically looking for HTTP requests that follow redirects without validating each redirect URL.

Since the vulnerability arises from automatic following of HTTP redirects without revalidation, you can detect suspicious activity by capturing HTTP traffic and inspecting redirect chains that lead to internal or metadata endpoints.

Suggested commands include using network monitoring tools such as tcpdump or Wireshark to capture HTTP traffic and grep or similar tools to filter for HTTP 3xx redirect responses and subsequent requests to private IP ranges or cloud metadata IPs (e.g., 169.254.169.254).

  • Use tcpdump to capture HTTP traffic: tcpdump -i <interface> -s 0 -w capture.pcap port 80 or 443
  • Analyze captured traffic with Wireshark or tshark to identify redirect responses (HTTP status codes 301, 302, 303, 307, 308).
  • Filter logs or traffic for requests to private IP ranges (10.x.x.x, 172.16.x.x, 192.168.x.x) or cloud metadata IP (169.254.169.254).
  • Check application logs for RecursiveUrlLoader usage and verify if redirects are being followed without validation.

Because the vulnerability is in the code logic of the RecursiveUrlLoader, reviewing the version of @langchain/community in use and its redirect handling behavior is also a key detection step.

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The primary mitigation step is to upgrade the @langchain/community package to version 1.1.18 or later, where the vulnerability is fixed by disabling automatic HTTP redirects and validating each redirect URL.'}, {'type': 'paragraph', 'content': 'In version 1.1.18, the RecursiveUrlLoader disables automatic redirects by setting fetch redirect mode to "manual", validates every redirect target URL with the validateSafeUrl() function, and enforces a maximum redirect limit to prevent infinite loops.'}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, consider implementing manual validation of redirect URLs in your usage of RecursiveUrlLoader or disabling recursive URL loading temporarily to prevent SSRF bypass.'}, {'type': 'list_item', 'content': 'Upgrade @langchain/community to version 1.1.18 or later.'}, {'type': 'list_item', 'content': 'Ensure that fetch calls in RecursiveUrlLoader use redirect mode "manual".'}, {'type': 'list_item', 'content': 'Validate each redirect URL with a function similar to validateSafeUrl() to block private IPs and metadata endpoints.'}, {'type': 'list_item', 'content': 'Enforce a maximum redirect limit (e.g., 10) to avoid infinite redirect loops.'}, {'type': 'paragraph', 'content': 'Review and audit your application’s network access permissions to limit access to internal or metadata endpoints where possible.'}] [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27795. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart