GHSA-FV5P-P927-QMXR: SSRF via Redirect Bypass in LangChain HTMLHeaderTextSplitter
Vulnerability ID: GHSA-FV5P-P927-QMXR
CVSS Score: 6.5
Published: 2026-04-16
The langchain-text-splitters package prior to version 0.3.5 is vulnerable to Server-Side Request Forgery (SSRF) in the HTMLHeaderTextSplitter.split_text_from_url method. The vulnerability arises from an incomplete validation mechanism that checks the initial URL but fails to restrict subsequent HTTP redirects, allowing an attacker to access restricted internal resources and cloud metadata services.
TL;DR
LangChain's HTML text splitter fails to validate HTTP redirects during content retrieval, enabling attackers to bypass SSRF protections and extract internal network data or cloud IAM credentials.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-918
- Attack Vector: Network
- CVSS Score: 6.5
- Impact: Confidentiality, Integrity
- Exploit Status: Proof-of-Concept
- KEV Status: Not Listed
Affected Systems
- langchain-text-splitters
-
langchain-text-splitters: < 0.3.5 (Fixed in:
0.3.5)
Mitigation Strategies
- Update langchain-text-splitters to version 0.3.5 or newer
- Implement network egress filtering to block access to cloud metadata services (e.g., 169.254.169.254)
- Disable automatic redirect following in custom HTTP clients fetching user-provided URLs
Remediation Steps:
- Identify all projects and dependencies utilizing the langchain-text-splitters package
- Execute
pip install --upgrade langchain-text-splitters>=0.3.5 - Audit application code for any custom HTTP requests to untrusted URLs lacking
allow_redirects=False - Deploy network-level policies blocking container or instance egress to cloud IMDS endpoints
References
- GitHub Advisory: GHSA-FV5P-P927-QMXR
- LangChain Releases on GitHub
- OSV Entry for GHSA-FV5P-P927-QMXR
- AI Sec Watch Analysis
Read the full report for GHSA-FV5P-P927-QMXR on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)