PyPI: langchain-community

CVE-2025-2828

Safety vulnerability ID: SFTY-20250623-57712

Safety legacy ID: pyup.io-77900

Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF) due to a lack of proper URL validation in the RequestsToolkit component. The RequestsToolkit fails to enforce restrictions on target URLs, allowing requests to both remote internet addresses and local network addresses, leading to potential port scanning, access to local services, retrieval of cloud instance metadata, and interaction with internal network resources.

PythonPyPINVDNVDGitHubGHSA
Created at: Jan 6, 2026Updated at: Jan 6, 2026

Overview

LangChain Community SSRF vulnerability exists in RequestsToolkit component

Advisory

Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF) due to a lack of proper URL validation in the RequestsToolkit component. The RequestsToolkit fails to enforce restrictions on target URLs, allowing requests to both remote internet addresses and local network addresses, leading to potential port scanning, access to local services, retrieval of cloud instance metadata, and interaction with internal network resources.

Affected Package

Affecting langchain-community package, versions
<0.0.28

Also affects

---

How to Fix

Upgrade
langchain-community
to
0.0.28
or higher.

Mitigation and Workarounds

---

Vulnerable Functions

Functions linked to known vulnerabilities.

Vulnerable function data is available for Enterprise customers

Book a call with us to see Safety in action.

References

Safety

Verified by Safety

Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.

Learn more