LangChain langchain-openai Library DNS Rebinding Vulnerability Allowing SSRF

A vulnerability in the langchain-openai library, prior to version 1.1.14, allows for Server-Side Request Forgery (SSRF) attacks via a DNS rebinding technique. The issue arises in the '_url_to_size()' helper function, which is used by 'get_num_tokens_from_messages' for counting image tokens. The function initially validates URLs for SSRF protection and then retrieves them in a separate network operation, leading to a time-of-check-to-time-of-use (TOCTOU) vulnerability. An attacker could exploit this by having a controlled hostname resolve to a public IP during validation and then to a private or localhost IP when the fetch occurs. Although the vulnerability's practical impact is limited—since the response is directly passed to Pillow's 'Image.open()' without exposure to the caller—it could still allow blind probing of internal services.

Impact

Exploitation of this vulnerability could lead to SSRF, with the added risk of DNS rebinding, allowing an attacker to manipulate how domain names are resolved during the exploitation process.

Remediation

Users can upgrade to langchain-openai version 1.1.14 or later to address this vulnerability. The updated version requires langchain-core version 1.2.31 or later.