CVE-2026-27795
Server-Side Request Forgery (SSRF) vulnerability in community (npm)
What is CVE-2026-27795 About?
This vulnerability in `@langchain/community`'s `RecursiveUrlLoader` is a redirect-based Server-Side Request Forgery (SSRF) bypass. It allows an attacker to direct the crawler from an initially valid public URL to an internal or metadata endpoint via a redirect, even with existing SSRF protections. This can lead to the exfiltration of sensitive cloud credentials or access to internal services. Exploitation leverages a 'check-then-act' gap but is straightforward once a redirector URL is found.
Affected Software
Technical Details
The RecursiveUrlLoader in @langchain/community (prior to version 1.1.18) contains an SSRF bypass due to a 'check-then-act' vulnerability in its URL validation process. The loader performs initial validation of the starting URL using validateSafeUrl() to ensure it's not internal or malicious. However, the underlying fetch mechanism follows HTTP 3xx redirects automatically (redirect: "follow" by default) without re-validating each subsequent redirect hop. An attacker can provide a seemingly safe, public URL that passes the initial validation. This URL then responds with a redirect (e.g., a 302) to a forbidden internal IP address, localhost, or cloud metadata endpoint (e.g., http://169.254.169.254/latest/meta-data/). The RecursiveUrlLoader then automatically follows this redirect, accessing the sensitive internal resource without further security checks, effectively bypassing the intended SSRF protection.
What is the Impact of CVE-2026-27795?
Successful exploitation may allow attackers to access cloud instance metadata, internal services, and sensitive data, potentially leading to credential compromise or network reconnaissance.
What is the Exploitability of CVE-2026-27795?
Exploitation of this vulnerability is relatively straightforward once an attacker can influence the starting URL provided to the RecursiveUrlLoader. The key prerequisite is a redirector URL that can direct a request from a public, validated URL to an internal or metadata endpoint. No authentication or specific privileges are required on the target system for the SSRF itself, as the vulnerability is on the server-side component's handling of URLs. The attack vector is remote, as the attacker supplies a URL. The risk is high in cloud environments where the RecursiveUrlLoader has access to internal networks or metadata services since it can expose critical credentials. The preventOutside configuration being true by default does not prevent this bypass.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2026-27795?
Available Upgrade Options
- @langchain/community
- <1.1.18 → Upgrade to 1.1.18
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/langchain-ai/langchainjs/security/advisories/GHSA-mphv-75cg-56wg
- https://github.com/langchain-ai/langchainjs/security/advisories/GHSA-gf3v-fwqg-4vh7
- https://github.com/langchain-ai/langchainjs/security/advisories/GHSA-mphv-75cg-56wg
- https://github.com/langchain-ai/langchainjs/releases/tag/%40langchain%2Fcommunity%401.1.14
- https://github.com/langchain-ai/langchainjs/commit/2812d2b2b9fd9343c4850e2ab906b8cf440975ee
- https://github.com/langchain-ai/langchainjs/pull/9990
- https://osv.dev/vulnerability/GHSA-mphv-75cg-56wg
- https://github.com/langchain-ai/langchainjs/commit/2812d2b2b9fd9343c4850e2ab906b8cf440975ee
- https://nvd.nist.gov/vuln/detail/CVE-2026-27795
- https://github.com/langchain-ai/langchainjs/releases/tag/%40langchain%2Fcommunity%401.1.18
What are Similar Vulnerabilities to CVE-2026-27795?
Similar Vulnerabilities: CVE-2026-26019 , CVE-2023-28432 , CVE-2022-28147 , CVE-2021-42283 , CVE-2020-8012
