Vulnerability	Vulnerable Version
M Server-side Request Forgery (SSRF) @langchain/community is a Third-party integrations for LangChain.js Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the `RecursiveUrlLoader` class. An attacker can access internal network resources or sensitive cloud metadata by supplying a public URL that redirects to internal or protected endpoints, exploiting the lack of revalidation on redirect targets. How to fix Server-side Request Forgery (SSRF)? Upgrade `@langchain/community` to version 1.1.18 or higher.	<1.1.18
M Server-side Request Forgery (SSRF) @langchain/community is a Third-party integrations for LangChain.js Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the `RecursiveUrlLoader` class. An attacker can access internal or sensitive resources by influencing crawled page content to include links that bypass origin and IP address validation, causing the process to fetch attacker-controlled or internal URLs. Note: This is only exploitable if the process runs in an environment with access to internal networks or cloud metadata services. How to fix Server-side Request Forgery (SSRF)? Upgrade `@langchain/community` to version 1.1.14 or higher.	<1.1.14

Server-side Request Forgery (SSRF)

@langchain/community is a Third-party integrations for LangChain.js

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the RecursiveUrlLoader class. An attacker can access internal network resources or sensitive cloud metadata by supplying a public URL that redirects to internal or protected endpoints, exploiting the lack of revalidation on redirect targets.

How to fix Server-side Request Forgery (SSRF)?

Upgrade @langchain/community to version 1.1.18 or higher.

<1.1.18

Server-side Request Forgery (SSRF)

@langchain/community is a Third-party integrations for LangChain.js

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the RecursiveUrlLoader class. An attacker can access internal or sensitive resources by influencing crawled page content to include links that bypass origin and IP address validation, causing the process to fetch attacker-controlled or internal URLs.

Note: This is only exploitable if the process runs in an environment with access to internal networks or cloud metadata services.

How to fix Server-side Request Forgery (SSRF)?

Upgrade @langchain/community to version 1.1.14 or higher.

<1.1.14

Go back to all versions of this package