HTMLHeaderTextSplitter.split_text_from_url SSRF Redirect Bypass · Advisory · langchain-ai/langchain · GitHub

HTMLHeaderTextSplitter.split_text_from_url SSRF Redirect Bypass Vulnerability Overview The method validates the initial URL but then uses to make the request with redirects enabled. An attacker can point an externally controlled URL to internal addresses (such as or cloud metadata endpoints) and exploit redirects to bypass SSRF protection, leading to leakage of internal sensitive data. Impact Scope Affected Versions: Fixed Version: (requires ) CVSS Score: 6.5 / 10 (Medium) Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Confidentiality Impact: High Integrity/Availability Impact: None Remediation 1. Replace with the SSRF-safe HTTP transport layer (from ), which validates DNS results and ensures each request (including redirect targets) is bound to a verified IP. 2. Deprecate ; users should retrieve HTML content themselves and pass it to . Affected Code Attack Scenario 1. The developer passes an external URL to , relying on the built-in to block internal network requests. 2. The attacker provides a URL pointing to a publicly controlled host (e.g., ). 3. The attacker’s server responds with a 302 redirect to an internal endpoint (such as an unauthenticated internal API or cloud metadata service, without requiring special headers). 4. automatically follows the redirect, and the redirect target is not revalidated. 5. The response body is parsed and returned as a object to the application. Notes The core issue is bypassing explicitly provided SSRF protection. Cloud metadata endpoints (e.g., AWS IMDSv2, GCP, Azure) are inaccessible due to requiring special headers, but AWS IMDSv1 (no header required) is accessible. Data leakage depends on whether the application returns document content to the requester who supplied the URL; SSRF itself does not force the server to make the request.

Goal Reached Thanks to every supporter — we hit 100%!

HTMLHeaderTextSplitter.split_text_from_url SSRF Redirect Bypass · Advisory · langchain-ai/langchain · GitHub

More from this source