DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-R7W7-9XR2-QQ2R: GHSA-R7W7-9XR2-QQ2R: Server-Side Request Forgery via DNS Rebinding in langchain-openai

#security #cve #cybersecurity #ghsa

GHSA-R7W7-9XR2-QQ2R: Server-Side Request Forgery via DNS Rebinding in langchain-openai

Vulnerability ID: GHSA-R7W7-9XR2-QQ2R
CVSS Score: 3.1
Published: 2026-04-16

A Server-Side Request Forgery (SSRF) vulnerability exists in the langchain-openai package before version 1.1.14 due to a Time-of-Check Time-of-Use (TOCTOU) race condition in the image token calculation logic. The _url_to_size function evaluates URL safety and performs the HTTP fetch using separate DNS resolutions, permitting a DNS rebinding attack.

TL;DR

LangChain's OpenAI integration is vulnerable to a low-severity blind SSRF via DNS rebinding in its image token counter. The flaw allows attackers to probe internal networks, though data exfiltration is prevented by strict image parsing constraints.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Class: CWE-918 (SSRF) / CWE-367 (TOCTOU)
  • Attack Vector: Network
  • CVSS v3.1 Score: 3.1 (Low)
  • Impact: Blind Internal Network Probing
  • Exploit Status: Proof of Concept
  • KEV Status: Not Listed

Affected Systems

  • Applications utilizing langchain-openai for processing multi-modal conversational data
  • Generative AI pipelines incorporating image token calculations
  • langchain-openai: < 1.1.14 (Fixed in: 1.1.14)

Code Analysis

Commit: 36819

Implementation of SSRFSafeSyncTransport to mitigate validate-then-fetch vulnerabilities in image token calculation.

Mitigation Strategies

  • Upgrade langchain-openai to version >= 1.1.14.
  • Ensure langchain-core is updated to version >= 1.2.31 to support the SSRFSafeSyncTransport mechanism.
  • Implement network-level egress filtering to restrict application servers from communicating with local, private, and cloud metadata IP ranges.
  • Audit custom application code for validate-then-fetch patterns and replace them with DNS-pinned HTTP clients.

Remediation Steps:

  1. Identify all projects and virtual environments utilizing the langchain-openai package.
  2. Modify dependency manifests (requirements.txt, pyproject.toml, Pipfile) to pin langchain-openai >= 1.1.14 and langchain-core >= 1.2.31.
  3. Execute the package manager update command (e.g., pip install --upgrade langchain-openai langchain-core).
  4. Run the application test suite, specifically validating multi-modal prompt handling to ensure no regression exists with external image processing.

References

Read the full report for GHSA-R7W7-9XR2-QQ2R on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)