{"data":{"id":"1610e3cb-2328-451c-bb90-e7a04230b884","title":"CVE-2024-3095: A Server-Side Request Forgery (SSRF) vulnerability exists in the Web Research Retriever component of langchain-ai/langch","summary":"A Server-Side Request Forgery vulnerability (SSRF, a flaw that lets attackers trick a server into making requests to unintended targets) exists in langchain version 0.1.5's Web Research Retriever component, which fails to block requests to local network addresses. This allows attackers to scan ports, access local services, read cloud metadata, and potentially execute arbitrary code (run commands on a system they don't own) by exploiting internal APIs.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2024-3095","publishedAt":"2024-06-06T23:15:59.160Z","cveId":"CVE-2024-3095","cweIds":["CWE-918"],"cvssScore":"7.7","cvssSeverity":"high","severity":"high","attackType":["rag_poisoning"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["LangChain"],"affectedVendorsRaw":["langchain-ai/langchain","Web Research Retriever"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.00163,"patchAvailable":null,"disclosureDate":null,"capecIds":["CAPEC-664"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity"],"aiComponentTargeted":"rag","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}