LangChain Community: redirect chaining can lead to SSRF bypass via RecursiveUrlLoader

Description

Summary

A redirect-based Server-Side Request Forgery (SSRF) bypass exists in RecursiveUrlLoader in @langchain/community. The loader validates the initial URL but allows the underlying fetch to follow redirects automatically, which permits a transition from a safe public URL to an internal or metadata endpoint without revalidation. This is a bypass of the SSRF protections introduced in 1.1.14 (CVE-2026-26019).

Affected Component

  • Package: @langchain/community
  • Component: RecursiveUrlLoader
  • Configuration: preventOutside (default: true) is insufficient to prevent this bypass when redirects are followed automatically.

Description

RecursiveUrlLoader is a web crawler that recursively follows links from a starting URL. The existing SSRF mitigation validates the initial URL before fetching, but it does not re-validate when the request follows redirects. Because fetch follows redirects by default, an attacker can supply a public URL that passes validation and then redirects to a private network address, localhost, or cloud metadata endpoint.

This constitutes a “check‑then‑act” gap in the request lifecycle: the safety check occurs before the redirect chain is resolved, and the final destination is never validated.

Impact

If an attacker can influence content on a page being crawled (e.g., user‑generated content, untrusted external pages), they can cause the crawler to:
- Fetch cloud instance metadata (AWS, GCP, Azure), potentially exposing credentials or tokens
- Access internal services on private networks (10.x, 172.16.x, 192.168.x)
- Connect to localhost services
- Exfiltrate response data through attacker-controlled redirect chains

This is exploitable in any environment where RecursiveUrlLoader runs with access to internal networks or metadata services, which includes most cloud-hosted deployments.

Attack Scenario

  1. The crawler is pointed at a public URL that passes initial SSRF validation.
  2. That URL responds with a 3xx redirect to an internal target.
  3. The fetch follows the redirect automatically without revalidation.
  4. The crawler accesses the internal or metadata endpoint.

Example redirector:

https://302.r3dir.me/--to/?url=http://169.254.169.254/latest/meta-data/

Root Cause

  • SSRF validation (validateSafeUrl) is only performed on the initial URL.
  • Redirects are followed automatically by fetch (redirect: "follow" default), so the request can change destinations without additional validation.

Resolution

Upgrade to @langchain/community >= 1.1.18, which validates every redirect hop by disabling automatic redirects and re-validating Location targets before following them.
- Automatic redirects are disabled (redirect: "manual").
- Each 3xx Location is resolved and validated with validateSafeUrl() before the next request.
- A maximum redirect limit prevents infinite loops.

Reources

  • Original SSRF fix (CVE-2026-26019): enforced origin comparison and added initial URL validation
  • https://github.com/langchain-ai/langchainjs/security/advisories/GHSA-gf3v-fwqg-4vh7

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-02-25 22:59:48 UTC
Updated
2026-02-25 22:59:49 UTC
GitHub reviewed
2026-02-25 22:59:48 UTC
NVD published
2026-02-25

EPSS Score

Score Percentile
0.04% 12.51%

CVSS Scores

Base score Version Severity Vector
4.1 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:R)
A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:C)
Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:L)
Some sensitive info could get out, but not a total data dump.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:N)
Service keeps running; no real outage angle.

Identifiers

CWEs

CWE id Name
CWE-918 Server-Side Request Forgery (SSRF)

Credits

  • r3dbrothers (reporter)
  • hntrl (remediation_developer)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
npm @langchain/community <= 1.1.17 1.1.18

References

cvelogic Threat Intelligence