LangChain RecursiveUrlLoader SSRF Vulnerability Allowing Cloud Metadata and Private IP Access

A server-side request forgery (SSRF) vulnerability has been identified in the RecursiveUrlLoader class of the LangChain framework, specifically in the @langchain/community package, prior to version 1.1.14. This web crawler does not properly validate URLs when the 'preventOutside' option is enabled, allowing attackers to craft links that bypass restrictions and access internal services or cloud metadata. The vulnerability also arises from inadequate checks against private or reserved IP addresses, enabling access to services running on localhost or within private network ranges.

Impact

Exploitation of this vulnerability allows for unauthorized access to cloud instance metadata, which could expose sensitive information such as IAM credentials and session tokens. Additionally, it enables access to internal services on private networks or localhost, with the potential to exfiltrate data via attacker-controlled redirect chains.

Reproduction

To reproduce this vulnerability, use the RecursiveUrlLoader with the 'preventOutside' option enabled. The loader will fetch links that share a prefix with the base URL, bypassing the intended restrictions. This can be combined with links to private IP addresses or cloud metadata services to demonstrate the vulnerability's impact.

Remediation

Users can upgrade to LangChain version 1.1.14 or later, where this vulnerability has been fixed. Instructions for updating can be found in the release notes on the LangChain GitHub repository.