Bug 2374398 (CVE-2025-2828) - CVE-2025-2828 langchain-community: SSRF Vulnerability in langchain-community
Summary: CVE-2025-2828 langchain-community: SSRF Vulnerability in langchain-community
Keywords:
Status: NEW
Alias: CVE-2025-2828
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-06-23 21:01 UTC by OSIDB Bzimport
Modified: 2025-06-30 12:58 UTC (History)
34 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-06-23 21:01:14 UTC 
A Server-Side Request Forgery (SSRF) vulnerability exists in the RequestsToolkit component of the langchain-community package (specifically, langchain_community.agent_toolkits.openapi.toolkit.RequestsToolkit) in langchain-ai/langchain version 0.0.27. This vulnerability occurs because the toolkit does not enforce restrictions on requests to remote internet addresses, allowing it to also access local addresses. As a result, an attacker could exploit this flaw to perform port scans, access local services, retrieve instance metadata from cloud environments (e.g., Azure, AWS), and interact with servers on the local network. This issue has been fixed in version 0.0.28.
Note You need to log in before you can comment on or make changes to this bug.