GHSA-h5gc-rm8j-5gpr
Suggest an improvement- Source
- https://github.com/advisories/GHSA-h5gc-rm8j-5gpr
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-h5gc-rm8j-5gpr/GHSA-h5gc-rm8j-5gpr.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-h5gc-rm8j-5gpr
- Aliases
- Published
- 2025-06-23T21:31:56Z
- Modified
- 2025-06-25T19:27:15.774679Z
- Severity
-
- 8.4 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- LangChain Community SSRF vulnerability exists in RequestsToolkit component
- Details
-
A Server-Side Request Forgery (SSRF) vulnerability exists in the RequestsToolkit component of the langchain-community package (specifically, langchaincommunity.agenttoolkits.openapi.toolkit.RequestsToolkit) in langchain-ai/langchain version 0.0.27. This vulnerability occurs because the toolkit does not enforce restrictions on requests to remote internet addresses, allowing it to also access local addresses. As a result, an attacker could exploit this flaw to perform port scans, access local services, retrieve instance metadata from cloud environments (e.g., Azure, AWS), and interact with servers on the local network. This issue has been fixed in version 0.0.28.
- Database specific
{ "nvd_published_at": "2025-06-23T21:15:25Z", "cwe_ids": [ "CWE-918" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2025-06-25T18:45:48Z" }- References
Affected packages
PyPI / langchain-community
Package
- Name
- langchain-community
- View open source insights on deps.dev
- Purl
- pkg:pypi/langchain-community
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.0.28