@langchain/community affected by SSRF Bypass in RecursiveUrlLoader via insufficient URL origin validation
- Severity:
- Medium
Description
The RecursiveUrlLoader class in @langchain/community is a web crawler that recursively follows links from a starting URL. Its preventOutside option (enabled by default) is intended to restrict crawling to the same site as the base URL.
The implementation used String.startsWith() to compare URLs, which does not perform semantic URL validation.
Recommendation
Update the @langchain/community package to the latest compatible version. Followings are version details:
- Affected version(s): <= 1.1.13
- Patched version(s): 1.1.14
References
Related Issues
- LangChain Community: redirect chaining can lead to SSRF bypass via RecursiveUrlLoader - CVE-2026-27795
- Feathers has an origin validation bypass via prefix matching - CVE-2026-27192
- webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior - CVE-2025-68458
- Parse Server has a query condition depth bypass via pre-validation transform pipeline - CVE-2026-33498
- Tags:
- npm
- @langchain/community
Anything's wrong? Let us know Last updated on February 12, 2026