A redirect-based Server-Side Request Forgery (SSRF) bypass exists in RecursiveUrlLoader in @langchain/community. The loader validates the initial URL but allows the underlying fetch to follow redirects automatically, which permits a transition from a safe public URL to an internal or metadata endpoint without revalidation. This is a bypass of the SSRF protections introduced in 1.1.14 (CVE-2026-26019).
@langchain/communityRecursiveUrlLoaderpreventOutside (default: true) is insufficient to prevent this bypass when redirects are followed automatically.RecursiveUrlLoader is a web crawler that recursively follows links from a starting URL. The existing SSRF mitigation validates the initial URL before fetching, but it does not re-validate when the request follows redirects. Because fetch follows redirects by default, an attacker can supply a public URL that passes validation and then redirects to a private network address, localhost, or cloud metadata endpoint.
This constitutes a “check‑then‑act” gap in the request lifecycle: the safety check occurs before the redirect chain is resolved, and the final destination is never validated.
If an attacker can influence content on a page being crawled (e.g., user‑generated content, untrusted external pages), they can cause the crawler to:
- Fetch cloud instance metadata (AWS, GCP, Azure), potentially exposing credentials or tokens
- Access internal services on private networks (10.x, 172.16.x, 192.168.x)
- Connect to localhost services
- Exfiltrate response data through attacker-controlled redirect chains
This is exploitable in any environment where RecursiveUrlLoader runs with access to internal networks or metadata services, which includes most cloud-hosted deployments.
Example redirector:
https://302.r3dir.me/--to/?url=http://169.254.169.254/latest/meta-data/
validateSafeUrl) is only performed on the initial URL.redirect: "follow" default), so the request can change destinations without additional validation.Upgrade to @langchain/community >= 1.1.18, which validates every redirect hop by disabling automatic redirects and re-validating Location targets before following them.
- Automatic redirects are disabled (redirect: "manual").
- Each 3xx Location is resolved and validated with validateSafeUrl() before the next request.
- A maximum redirect limit prevents infinite loops.
| Score | Percentile |
|---|---|
| 0.04% | 12.51% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 4.1 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-mphv-75cg-56wg ↗ |
| CVE | CVE-2026-27795 ↗ |
| CWE id | Name |
|---|---|
| CWE-918 | Server-Side Request Forgery (SSRF) |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| npm | @langchain/community | <= 1.1.17 | 1.1.18 | — |