SFTY-20240226-13160 / CVE-2024-0243 — Safety Vulnerability Database

Overview

Affected versions of the `langchain` package are vulnerable to Server-Side Request Forgery (SSRF) due to inadequate handling of external URLs in `recursive_url_loader.py`. The vulnerability exists because the preventive measure of setting the `prevent_outside` parameter to True is bypassed, allowing the crawler to interact with unauthorized servers. An attacker controlling an external server can exploit this by embedding links that appear to be internal, such as `https://example.completely.different/my_file.html`, leading the crawler to fetch and process potentially malicious files.

Advisory

Affected versions of the `langchain` package are vulnerable to Server-Side Request Forgery (SSRF) due to inadequate handling of external URLs in `recursive_url_loader.py`. The vulnerability exists because the preventive measure of setting the `prevent_outside` parameter to True is bypassed, allowing the crawler to interact with unauthorized servers. An attacker controlling an external server can exploit this by embedding links that appear to be internal, such as `https://example.completely.different/my_file.html`, leading the crawler to fetch and process potentially malicious files.

Affected Package

Affecting langchain-core package, versions

>=0.0.13rc1,<0.1.7

Also affects

---

How to Fix

Upgrade

langchain-core

to

0.1.7

or higher.

Mitigation and Workarounds

---

Vulnerable Functions

Functions linked to known vulnerabilities.

Vulnerable function data is available for Enterprise customers

Book a call with us to see Safety in action.

References

Verified by Safety

Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.

Learn more