GHSA-fv5p-p927-qmxr: LangChain Text Splitters: HTMLHeaderTextSplitter.split_text_from_url SSRF Redirect Bypass
Summary
A function in LangChain called `HTMLHeaderTextSplitter.split_text_from_url()` had a security flaw where it checked if a URL was safe initially, but then allowed HTTP redirects (automatic follow-ups to different URLs) without rechecking them. This meant an attacker could provide a safe-looking URL that secretly redirects to internal servers or sensitive cloud services, potentially leaking private data. The vulnerability affects versions of langchain-text-splitters before 1.1.2.
Solution / Mitigation
Upgrade to langchain-text-splitters version 1.1.2 or later (which requires langchain-core >= 1.2.31). The fix replaces the unsafe HTTP request method with an SSRF-safe HTTP transport that validates every request, including redirect targets. Additionally, the vulnerable function has been deprecated, and users should instead fetch HTML content themselves and pass it to `split_text()` directly.
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-fv5p-p927-qmxr
First tracked: April 16, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 95%