LangChain ChatOpenAI Server-Side Request Forgery Vulnerability in Token Counting Method

A Server-Side Request Forgery (SSRF) vulnerability has been identified in the LangChain framework, specifically within the ChatOpenAI.get_num_tokens_from_messages() method. This issue is present in versions of LangChain prior to 1.2.11. The vulnerability arises because the method processes image URLs from user input without proper validation, allowing attackers to send malicious URLs that the server will fetch. This could lead to unauthorized access of internal resources or external URLs.

Impact

Exploitation of this vulnerability allows for SSRF attacks, where the application server is tricked into making HTTP requests to internal or external URLs specified by the attacker. This could result in access to private network resources or cloud metadata endpoints, with some minor resource consumption from downloading images, although this is limited by a default 5-second timeout.

Reproduction

To reproduce this vulnerability, use a version of LangChain prior to 1.2.11 and invoke the ChatOpenAI.get_num_tokens_from_messages() method with a message that includes an image_url block. The URL provided should point to a resource that the server can access, such as an internal IP address or a cloud metadata endpoint. The method will fetch the image without validating the URL, allowing for SSRF exploitation.

Remediation

Upgrade to LangChain version 1.2.11 or later, which includes the necessary SSRF protection. If an immediate upgrade is not possible, validate and sanitize image URLs before using them in the get_num_tokens_from_messages() method.