Update dependency @langchain/community to v1 [SECURITY]#193
Open
alithya-oss-backstage-ci[bot] wants to merge 1 commit intomainfrom
Open
Update dependency @langchain/community to v1 [SECURITY]#193alithya-oss-backstage-ci[bot] wants to merge 1 commit intomainfrom
alithya-oss-backstage-ci[bot] wants to merge 1 commit intomainfrom
Conversation
Signed-off-by: Renovate Bot <bot@renovateapp.com>
alithya-oss-backstage-ci
bot
added
the
dependencies
Contributor
Author
Missing ChangesetsThe following package(s) are changed by this PR but do not have a changeset:
See CONTRIBUTING.md for more information about how to add changesets. Changed Packages
|
Contributor
Author
Edited/Blocked NotificationRenovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR. You can manually request rebase by checking the rebase/retry box above. |
Contributor
|
This PR has been automatically marked as stale because it has not had recent activity from the author. It will be closed if no further activity occurs. If the PR was closed and you want it re-opened, let us know and we'll re-open the PR so that you can continue the contribution! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^0.3.26→^1.0.0@langchain/community affected by SSRF Bypass in RecursiveUrlLoader via insufficient URL origin validation
CVE-2026-26019 / GHSA-gf3v-fwqg-4vh7
More information
Details
Description
The
RecursiveUrlLoaderclass in@langchain/communityis a web crawler that recursively follows links from a starting URL. ItspreventOutsideoption (enabled by default) is intended to restrict crawling to the same site as the base URL.The implementation used
String.startsWith()to compare URLs, which does not perform semantic URL validation. An attacker who controls content on a crawled page could include links to domains that share a string prefix with the target (e.g.,https://example.com.attacker.compasses astartsWithcheck againsthttps://example.com), causing the crawler to follow links to attacker-controlled or internal infrastructure.Additionally, the crawler performed no validation against private or reserved IP addresses. A crawled page could include links targeting cloud metadata services (
169.254.169.254), localhost, or RFC 1918 addresses, and the crawler would fetch them without restriction.Impact
An attacker who can influence the content of a page being crawled (e.g., by placing a link on a public-facing page, forum, or user-generated content) could cause the crawler to:
10.x,172.16.x,192.168.x)This is exploitable in any environment where
RecursiveUrlLoaderruns on infrastructure with access to cloud metadata or internal services — which includes most cloud-hosted deployments.Resolution
Two changes were made:
Origin comparison replaced. The
startsWithcheck was replaced with a strict origin comparison using the URL API (new URL(link).origin === new URL(baseUrl).origin). This correctly validates scheme, hostname, and port as a unit, preventing subdomain-based bypasses.SSRF validation added to all fetch operations. A new URL validation module (
@langchain/core/utils/ssrf) was introduced and applied before every outbound fetch in the crawler. This blocks requests to:169.254.169.254,169.254.170.2,100.100.100.200,metadata.google.internal, and related hostnames10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,127.0.0.0/8,169.254.0.0/16::1,fc00::/7,fe80::/10file:,ftp:,javascript:, etc.)Cloud metadata endpoints are unconditionally blocked and cannot be overridden.
Workarounds
Users who cannot upgrade immediately should avoid using
RecursiveUrlLoaderon untrusted or user-influenced content, or should run the crawler in a network environment without access to cloud metadata or internal services.Severity
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
LangChain Community: redirect chaining can lead to SSRF bypass via RecursiveUrlLoader
CVE-2026-27795 / GHSA-mphv-75cg-56wg
More information
Details
Summary
A redirect-based Server-Side Request Forgery (SSRF) bypass exists in
RecursiveUrlLoaderin@langchain/community. The loader validates the initial URL but allows the underlying fetch to follow redirects automatically, which permits a transition from a safe public URL to an internal or metadata endpoint without revalidation. This is a bypass of the SSRF protections introduced in 1.1.14 (CVE-2026-26019).Affected Component
@langchain/communityRecursiveUrlLoaderpreventOutside(default:true) is insufficient to prevent this bypass when redirects are followed automatically.Description
RecursiveUrlLoaderis a web crawler that recursively follows links from a starting URL. The existing SSRF mitigation validates the initial URL before fetching, but it does not re-validate when the request follows redirects. Because fetch follows redirects by default, an attacker can supply a public URL that passes validation and then redirects to a private network address, localhost, or cloud metadata endpoint.This constitutes a “check‑then‑act” gap in the request lifecycle: the safety check occurs before the redirect chain is resolved, and the final destination is never validated.
Impact
If an attacker can influence content on a page being crawled (e.g., user‑generated content, untrusted external pages), they can cause the crawler to:
10.x,172.16.x,192.168.x)This is exploitable in any environment where
RecursiveUrlLoaderruns with access to internal networks or metadata services, which includes most cloud-hosted deployments.Attack Scenario
Example redirector:
Root Cause
validateSafeUrl) is only performed on the initial URL.redirect: "follow"default), so the request can change destinations without additional validation.Resolution
Upgrade to
@langchain/community>= 1.1.18, which validates every redirect hop by disabling automatic redirects and re-validatingLocationtargets before following them.redirect: "manual").Locationis resolved and validated withvalidateSafeUrl()before the next request.Reources
Severity
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
langchain-ai/langchainjs (@langchain/community)
v1.1.18Patch Changes
#10108
e7576eeThanks @hntrl! - fix: replace retired Anthropic model IDs with active replacementsclaude-3-5-sonnet-latesttoclaude-sonnet-4-5-20250929claude-3-5-haiku-20241022,claude-3-7-sonnet-20250219,claude-3-5-sonnet-20240620, andclaude-3-5-sonnet-20241022in tests, docstrings, and examples#10116
2812d2bThanks @hntrl! - Validate redirects in RecursiveUrlLoader to prevent SSRF bypasses.Updated dependencies []:
v1.1.16Patch Changes
27186c5,05396f7,5a6f26b,7be50a7]:v1.1.14Patch Changes
#9990
d5e3db0Thanks @hntrl! - feat(core): Add SSRF protection module (@langchain/core/utils/ssrf) with utilities for validating URLs against private IPs, cloud metadata endpoints, and localhost.fix(community): Harden
RecursiveUrlLoaderagainst SSRF attacks by integratingvalidateSafeUrland replacing string-based URL comparison with origin-basedisSameOriginfrom the shared SSRF module.Updated dependencies [
d5e3db0,6939dab,ad581c7]:v1.1.12Compare Source
Patch Changes
0870ca0,8f0757f,cf46089]:v1.1.11Compare Source
Patch Changes
#9905
41bfea5Thanks @christian-bromann! - fix(classic/community/core): avoid long lived abort signalsUpdated dependencies [
41bfea5]:v1.1.10Compare Source
Patch Changes
#9883
ea00005Thanks @FilipZmijewski! - support aborting for Model Gateway and WatsonxLLM for IBM#9896
70f329aThanks @Axadali! - Add score normalization feature to PGVectorStore allowing users to choose between returning raw distances or normalized similarity scores. This makes PGVectorStore consistent with other vector stores in the LangChain ecosystem where higher scores indicate greater similarity. Maintains full backward compatibility by defaulting to distance mode.#9874
a995a3fThanks @phong-phuong! - fix jira failing to fetch issuesUpdated dependencies [
1fa865b,28efb57,4e42452,a9b5059,a9b5059]:v1.1.9Compare Source
Patch Changes
1d58bf2]:v1.1.8Patch Changes
#9759
82c51e4Thanks @ejscribner! - Fix(couchbase): Add Couchbase peer dependency and addCouchbaseQueryVectorStoreandCouchbaseSearchVectorStoreto tsdown bundleUpdated dependencies [
a496cc0]:v1.1.6Compare Source
Patch Changes
#9835
adb3625Thanks @maahir30! - Use UTF-8 byte length for metadata fieldsUpdated dependencies []:
v1.1.5Compare Source
Patch Changes
#9822
ff69e1eThanks @HarshVz! - Add multi-region support for Alibaba Tongyi chat models. Users can now specify their region (China, Singapore, or US) when initializing ChatAlibabaTongyi. This enables proper API endpoint routing for users with region-specific API keys.regionparameter to ChatAlibabaTongyi constructor"china"(default),"singapore","us"Updated dependencies [
a7c6ec5,04923f9,e16c218]:v1.1.4Compare Source
Patch Changes
3efe79c]:v1.1.3Compare Source
Patch Changes
#9757
8619adbThanks @FilipZmijewski! - fix: add properties to check valid propsUpdated dependencies []:
v1.1.2Patch Changes
#9601
d79d2ffThanks @Orenoid! - feat(zhipuai): support tool calling in ChatZhipuAIUpdated dependencies [
13c9d5b,cc502e1,75b3b90]:v1.1.0Compare Source
Minor Changes
0221458Thanks @phong-phuong! - Update Jira document loader with updated v3 API jql endpointPatch Changes
#9582
739e2ceThanks @bitporo! - feat(community): add similaritySearch() and similaritySearchWithScore() support for lancedb#9385
163614eThanks @margaretjgu! - add elasticsearch hybrid search#9641
005c729Thanks @christian-bromann! - fix(community/core): various security fixes#9473
bc758ecThanks @gbrmaia! - add GoogleCalendarDeleteTool#9639
454a93dThanks @christian-bromann! - fix(community): LlamaCppEmbeddings now returns embeddings instead of token IDs#9214
5e0b88eThanks @mattfoxvog! - fix typo in IBM WatsonxLLM parameter truncateInpuTokens->truncateInputTokens#8948
6af735dThanks @christian-bromann! - fix(community): Add INSERT support to PrismaVectorStore for ParentDocumentRetriever compatibility (#8833)#8427
b5aa0bcThanks @AllenFang! - improve bm25 sorting function#9225
dc4e3f8Thanks @noobgramming! - fix(community): IBM WatsonX ChatWatsonx does not cancel requests on AbortSignal#9590
0dc141dThanks @FilipZmijewski! - fix(community): IBM tests, add missing metadata propertiesUpdated dependencies [
5a01b5b,eab88a5,5f79bc5,316392e,7b301c0,bb2f422,2a5ba50,47edf3f,41b26a4,2e563e3,72795fe,f97b488,29a8480,3ecc1e7,6baa851,a552cad,69a1045]:v1.0.7Compare Source
Patch Changes
#9436
ca32dd7Thanks @sinedied! - Fix possible race condition in FileSystemChatMessageHistory#8333
dc396c4Thanks @ejscribner! - community[minor]: Create CouchbaseQueryVectorStoreUpdated dependencies []:
v1.0.6Patch Changes
#9501
8b9f66fThanks @hntrl! - fix community exports (#9494)#9498
31240d4Thanks @hntrl! - enable model gateway usage in IBM implementationUpdated dependencies []:
v1.0.4Compare Source
Patch Changes
#9326
3e0cab6Thanks @ayanyev! - Milvus vector store client: ignore auto-calculated fields in collection schema during payload validationUpdated dependencies [
415cb0b,a2ad61e,34c472d]:v0.3.58Compare Source
68e6f49)df3399f)006319a)c8ebe6d)1e31844)028aa59)594e334)6bf4e90)eebca00)33e0bb6)eff0ce1)9df1dc3)16fb7bd)247f577)8ff1728)3695806)9d948b0)5f73e53)70eb7bc)06ebd78)bb5b2de)6540e07)09f644d)68670cb)2b2f009)43cf1f3)eb7c01f)a8d782b)934a548)caba026)v0.3.57Compare Source
v0.3.56Compare Source
v0.3.55Compare Source
v0.3.54Compare Source
v0.3.53Compare Source
v0.3.52Compare Source
v0.3.51Compare Source
v0.3.50Compare Source
v0.3.49Compare Source
v0.3.48Compare Source
v0.3.47Compare Source
v0.3.46Compare Source
v0.3.45Compare Source
v0.3.44Compare Source
v0.3.43Compare Source
v0.3.42Compare Source
v0.3.41Compare Source
v0.3.40Compare Source
v0.3.39Compare Source
v0.3.38Compare Source
v0.3.37Compare Source
v0.3.36Compare Source
v0.3.35Compare Source
v0.3.34Compare Source
v0.3.33Compare Source
v0.3.32Compare Source
v0.3.31Compare Source
v0.3.30Compare Source
v0.3.29Compare Source
v0.3.28Compare Source
v0.3.27Compare Source
What's Changed
Runnable.bindby @benjamincburns in #8192window.LanguageModelby @jtpio in #8173New Contributors
Full Changelog: langchain-ai/langchainjs@0.3.26...0.3.27
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.