CVE-2026-27795
SSRF Redirect Bypass in LangChain RecursiveUrlLoader Prior to
Publication date: 2026-02-25
Last updated on: 2026-04-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| langchain | langchain_community | to 1.1.18 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-27795 is a Server-Side Request Forgery (SSRF) bypass vulnerability in the RecursiveUrlLoader component of the LangChainJS library (@langchain/community). The vulnerability occurs because the loader validates only the initial URL for safety but allows the underlying fetch operation to automatically follow HTTP redirects without revalidating each redirected URL. This means an attacker can provide a safe public URL that redirects to an internal or sensitive endpoint (such as private IP addresses or cloud metadata services), bypassing SSRF protections.'}, {'type': 'paragraph', 'content': "The root cause is a 'check-then-act' flaw where only the first URL is checked, but subsequent redirects are followed unchecked, potentially exposing internal network resources or sensitive metadata endpoints."}, {'type': 'paragraph', 'content': 'The issue was fixed by disabling automatic redirects and manually handling each redirect. Each redirect URL is validated with a function that blocks unsafe destinations, and a maximum redirect limit is enforced to prevent infinite loops.'}] [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to bypass SSRF protections and access internal or sensitive endpoints that should not be reachable from outside the network.
- Exposure of sensitive data such as cloud instance metadata (e.g., AWS, GCP, Azure metadata endpoints).
- Unauthorized access to internal network services running on private IP ranges (e.g., 10.x.x.x, 172.16.x.x, 192.168.x.x).
- Potential disclosure of credentials or tokens obtained from internal or metadata endpoints.
The vulnerability is particularly critical in cloud-hosted environments where the RecursiveUrlLoader has network access to internal or metadata endpoints.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this SSRF vulnerability involves monitoring the behavior of the RecursiveUrlLoader component in the @langchain/community package, specifically looking for HTTP requests that follow redirects without validating each redirect URL.
Since the vulnerability arises from automatic following of HTTP redirects without revalidation, you can detect suspicious activity by capturing HTTP traffic and inspecting redirect chains that lead to internal or metadata endpoints.
Suggested commands include using network monitoring tools such as tcpdump or Wireshark to capture HTTP traffic and grep or similar tools to filter for HTTP 3xx redirect responses and subsequent requests to private IP ranges or cloud metadata IPs (e.g., 169.254.169.254).
- Use tcpdump to capture HTTP traffic: tcpdump -i <interface> -s 0 -w capture.pcap port 80 or 443
- Analyze captured traffic with Wireshark or tshark to identify redirect responses (HTTP status codes 301, 302, 303, 307, 308).
- Filter logs or traffic for requests to private IP ranges (10.x.x.x, 172.16.x.x, 192.168.x.x) or cloud metadata IP (169.254.169.254).
- Check application logs for RecursiveUrlLoader usage and verify if redirects are being followed without validation.
Because the vulnerability is in the code logic of the RecursiveUrlLoader, reviewing the version of @langchain/community in use and its redirect handling behavior is also a key detection step.
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary mitigation step is to upgrade the @langchain/community package to version 1.1.18 or later, where the vulnerability is fixed by disabling automatic HTTP redirects and validating each redirect URL.'}, {'type': 'paragraph', 'content': 'In version 1.1.18, the RecursiveUrlLoader disables automatic redirects by setting fetch redirect mode to "manual", validates every redirect target URL with the validateSafeUrl() function, and enforces a maximum redirect limit to prevent infinite loops.'}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, consider implementing manual validation of redirect URLs in your usage of RecursiveUrlLoader or disabling recursive URL loading temporarily to prevent SSRF bypass.'}, {'type': 'list_item', 'content': 'Upgrade @langchain/community to version 1.1.18 or later.'}, {'type': 'list_item', 'content': 'Ensure that fetch calls in RecursiveUrlLoader use redirect mode "manual".'}, {'type': 'list_item', 'content': 'Validate each redirect URL with a function similar to validateSafeUrl() to block private IPs and metadata endpoints.'}, {'type': 'list_item', 'content': 'Enforce a maximum redirect limit (e.g., 10) to avoid infinite redirect loops.'}, {'type': 'paragraph', 'content': 'Review and audit your applicationβs network access permissions to limit access to internal or metadata endpoints where possible.'}] [1, 2, 3]