CVE-2026-27795

EPSS 0.03%
Veröffentlicht 25.02.2026 17:30:01
Zuletzt bearbeitet 27.02.2026 14:06:59
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

LangChain is a framework for building LLM-powered applications. Prior to version 1.1.8, a redirect-based Server-Side Request Forgery (SSRF) bypass exists in `RecursiveUrlLoader` in `@langchain/community`. The loader validates the initial URL but allows the underlying fetch to follow redirects automatically, which permits a transition from a safe public URL to an internal or metadata endpoint without revalidation. This is a bypass of the SSRF protections introduced in 1.1.14 (CVE-2026-26019). Users should upgrade to `@langchain/community` 1.1.18, which validates every redirect hop by disabling automatic redirects and re-validating `Location` targets before following them. In this version, automatic redirects are disabled (`redirect: "manual"`), each 3xx `Location` is resolved and validated with `validateSafeUrl()` before the next request, and a maximum redirect limit prevents infinite loops.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 10

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellerlangchain-ai

≫

Produkt langchainjs

Version < 1.1.18

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.09

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	4.1	2.3	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://github.com/langchain-ai/langchainjs/security/advisories/GHSA-gf3v-fwqg-4vh7

https://github.com/langchain-ai/langchainjs/pull/9990

https://github.com/langchain-ai/langchainjs/commit/d5e3db0d01ab321ec70a875805b2f74aefdadf9d

https://github.com/langchain-ai/langchainjs/releases/tag/%40langchain%2Fcommunity%401.1.14

https://github.com/langchain-ai/langchainjs/security/advisories/GHSA-mphv-75cg-56wg

https://github.com/langchain-ai/langchainjs/commit/2812d2b2b9fd9343c4850e2ab906b8cf440975ee

https://github.com/langchain-ai/langchainjs/releases/tag/%40langchain%2Fcommunity%401.1.18

https://nvd.nist.gov/vuln/detail/CVE-2026-27795

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-27795

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-27795

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-27795