GHSA-2g6r-c272-w58r

Suggest an improvement
Source
https://github.com/advisories/GHSA-2g6r-c272-w58r
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-2g6r-c272-w58r/GHSA-2g6r-c272-w58r.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-2g6r-c272-w58r
Aliases
Published
2026-02-11T14:23:13Z
Modified
2026-02-11T14:44:37.030028Z
Severity
  • 3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
LangChain affected by SSRF via image_url token counting in ChatOpenAI.get_num_tokens_from_messages
Details

Server-Side Request Forgery (SSRF) in ChatOpenAI Image Token Counting

Summary

The ChatOpenAI.get_num_tokens_from_messages() method fetches arbitrary image_url values without validation when computing token counts for vision-enabled models. This allows attackers to trigger Server-Side Request Forgery (SSRF) attacks by providing malicious image URLs in user input.

Severity

Low - The vulnerability allows SSRF attacks but has limited impact due to: - Responses are not returned to the attacker (blind SSRF) - Default 5-second timeout limits resource exhaustion - Non-image responses fail at PIL image parsing

Impact

An attacker who can control image URLs passed to get_num_tokens_from_messages() can: - Trigger HTTP requests from the application server to arbitrary internal or external URLs - Cause the server to access internal network resources (private IPs, cloud metadata endpoints) - Cause minor resource consumption through image downloads (bounded by timeout)

Note: This vulnerability occurs during token counting, which may happen outside of model invocation (e.g., in logging, metrics, or token budgeting flows).

Details

The vulnerable code path: 1. get_num_tokens_from_messages() processes messages containing image_url content blocks 2. For images without detail: "low", it calls _url_to_size() to fetch the image and compute token counts 3. _url_to_size() performs httpx.get(image_source) on any URL without validation 4. Prior to the patch, there was no SSRF protection, size limits, or explicit timeout

File: libs/partners/openai/langchain_openai/chat_models/base.py

Patches

The vulnerability has been patched in langchain-openai==1.1.9 (requires langchain-core==1.2.11).

The patch adds: 1. SSRF validation using langchain_core._security._ssrf_protection.validate_safe_url() to block: - Private IP ranges (RFC 1918, loopback, link-local) - Cloud metadata endpoints (169.254.169.254, etc.) - Invalid URL schemes 2. Explicit size limits (50 MB maximum, matching OpenAI's payload limit) 3. Explicit timeout (5 seconds, same as httpx.get default) 4. Allow disabling image fetching via allow_fetching_images=False parameter

Workarounds

If you cannot upgrade immediately:

  1. Sanitize input: Validate and filter image_url values before passing messages to token counting or model invocation
  2. Use network controls: Implement egress filtering to prevent outbound requests to private IPs
Database specific 
{
    "nvd_published_at": "2026-02-10T22:17:00Z",
    "github_reviewed_at": "2026-02-11T14:23:13Z",
    "severity": "LOW",
    "cwe_ids": [
        "CWE-918"
    ],
    "github_reviewed": true
}
References

Affected packages

PyPI / langchain-core

Package

Name
langchain-core
View open source insights on deps.dev
Purl
pkg:pypi/langchain-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.11

Affected versions

0.*
0.0.1
0.0.2
0.0.3
0.0.4
0.0.5
0.0.6
0.0.7
0.0.8
0.0.9
0.0.10
0.0.11
0.0.12
0.0.13rc1
0.0.13rc2
0.0.13
0.1.0
0.1.1
0.1.2
0.1.3
0.1.4
0.1.5
0.1.6
0.1.7
0.1.8
0.1.9
0.1.10
0.1.11
0.1.12rc1
0.1.12
0.1.13
0.1.14
0.1.15rc1
0.1.15rc2
0.1.15
0.1.16
0.1.17
0.1.18
0.1.19
0.1.20
0.1.21
0.1.22
0.1.23
0.1.24
0.1.25
0.1.26
0.1.27
0.1.28
0.1.29
0.1.30
0.1.31
0.1.32
0.1.33rc1
0.1.33
0.1.34
0.1.35
0.1.36
0.1.37
0.1.38
0.1.39
0.1.40
0.1.41
0.1.42rc1
0.1.42
0.1.43
0.1.44
0.1.45
0.1.46
0.1.47rc1
0.1.47
0.1.48
0.1.49
0.1.50
0.1.51
0.1.52
0.1.53
0.2.0rc1
0.2.0
0.2.1
0.2.2rc1
0.2.2
0.2.3
0.2.4
0.2.5
0.2.6
0.2.7
0.2.8
0.2.9
0.2.10
0.2.11
0.2.12
0.2.13
0.2.15
0.2.16
0.2.17
0.2.18
0.2.19
0.2.20
0.2.21
0.2.22
0.2.23
0.2.24
0.2.25
0.2.26
0.2.27
0.2.28
0.2.29rc1
0.2.29
0.2.30
0.2.31
0.2.32
0.2.33
0.2.34
0.2.35
0.2.36
0.2.37
0.2.38
0.2.39
0.2.40
0.2.41
0.2.42
0.2.43
0.3.0.dev0
0.3.0.dev1
0.3.0.dev2
0.3.0.dev3
0.3.0.dev4
0.3.0.dev5
0.3.0
0.3.1
0.3.2
0.3.3
0.3.4
0.3.5
0.3.6
0.3.7
0.3.8
0.3.9
0.3.10
0.3.11
0.3.12
0.3.13
0.3.14
0.3.15
0.3.16
0.3.17
0.3.18
0.3.19
0.3.20
0.3.21
0.3.22
0.3.23
0.3.24
0.3.25
0.3.26
0.3.27
0.3.28
0.3.29
0.3.30
0.3.31
0.3.32
0.3.33
0.3.34rc1
0.3.34rc2
0.3.34
0.3.35
0.3.36
0.3.37
0.3.38
0.3.39
0.3.40
0.3.41
0.3.42
0.3.43
0.3.44
0.3.45rc1
0.3.45
0.3.46
0.3.47
0.3.48
0.3.49
0.3.50
0.3.51
0.3.52
0.3.53
0.3.54
0.3.55
0.3.56rc1
0.3.56
0.3.57
0.3.58
0.3.59
0.3.60
0.3.61
0.3.62
0.3.63
0.3.64
0.3.65
0.3.66
0.3.67
0.3.68
0.3.69
0.3.70
0.3.71
0.3.72
0.3.73
0.3.74
0.3.75
0.3.76
0.3.77
0.3.78
0.3.79
0.3.80
0.3.81
0.3.82
0.3.83
0.4.0.dev0
1.*
1.0.0a1
1.0.0a2
1.0.0a3
1.0.0a4
1.0.0a5
1.0.0a6
1.0.0a7
1.0.0a8
1.0.0rc1
1.0.0rc2
1.0.0rc3
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.1.0
1.1.1
1.1.2
1.1.3
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
1.2.8
1.2.9
1.2.10

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-2g6r-c272-w58r/GHSA-2g6r-c272-w58r.json"