{"data":{"id":"568c384e-f086-41da-8be0-0675a57d8765","title":"GHSA-fv5p-p927-qmxr: LangChain Text Splitters: HTMLHeaderTextSplitter.split_text_from_url SSRF Redirect Bypass","summary":"A function in LangChain called `HTMLHeaderTextSplitter.split_text_from_url()` had a security flaw where it checked if a URL was safe initially, but then allowed HTTP redirects (automatic follow-ups to different URLs) without rechecking them. This meant an attacker could provide a safe-looking URL that secretly redirects to internal servers or sensitive cloud services, potentially leaking private data. The vulnerability affects versions of langchain-text-splitters before 1.1.2.","solution":"Upgrade to langchain-text-splitters version 1.1.2 or later (which requires langchain-core >= 1.2.31). The fix replaces the unsafe HTTP request method with an SSRF-safe HTTP transport that validates every request, including redirect targets. Additionally, the vulnerable function has been deprecated, and users should instead fetch HTML content themselves and pass it to `split_text()` directly.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-fv5p-p927-qmxr","publishedAt":"2026-04-16T22:53:32.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":["langchain-text-splitters@< 1.1.2 (fixed: 1.1.2)"],"affectedVendors":["LangChain"],"affectedVendorsRaw":["LangChain","langchain-text-splitters"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":true,"disclosureDate":"2026-04-16T22:53:32.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity"],"aiComponentTargeted":"framework","llmSpecific":false,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}