GHSA-2g6r-c272-w58r: LangChain affected by SSRF via image_url token counting in ChatOpenAI.get_num_tokens_from_messages
Summary
LangChain's ChatOpenAI.get_num_tokens_from_messages() method contains an SSRF vulnerability where it fetches arbitrary image_url values without validation when computing token counts for vision-enabled models. Attackers can exploit this to trigger HTTP requests from the application server to arbitrary internal or external URLs, though impact is limited as it's a blind SSRF with a 5-second timeout.
Solution / Mitigation
The vulnerability has been patched in langchain-openai==1.1.9 (requires langchain-core==1.2.11). The patch adds: (1) SSRF validation using langchain_core._security._ssrf_protection.validate_safe_url() to block private IP ranges, cloud metadata endpoints, and invalid URL schemes; (2) explicit size limits (50 MB maximum); (3) explicit timeout (5 seconds); and (4) ability to disable image fetching via allow_fetching_images=False parameter. If unable to upgrade immediately, sanitize input by validating and filtering image_url values before passing messages to token counting, or implement egress filtering to prevent outbound requests to private IPs.
Original source: https://github.com/advisories/GHSA-2g6r-c272-w58r
First tracked: February 11, 2026 at 06:00 PM