CVE-2024-0243

Advisory

There is a bypass in the CVE-2023-46229 fix within langchain's SSRF protections in recursive_url_loader.py. Despite setting prevent_outside to True, an SSRF vulnerability allows crawling from an external server to an internal one. The issue stems from inadequate handling of external URLs, enabling unauthorized server interactions. For instance, an attacker controlling https://example.com could exploit this by placing links such as "https://example.completely.different/my_file.html". Despite the preventive measure, the crawler would fetch the malicious file.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

• https://github.com/langchain-ai/langchain/commit/bf0b3cc0b5ade1fb95a5b1b6fa260e99064c2e22
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0243