GHSA-r7w7-9xr2-qq2r: langchain-openai: Image token counting SSRF protection can be bypassed via DNS rebinding
Summary
A vulnerability in `langchain-openai` (a library for connecting to OpenAI's API) allowed attackers to bypass SSRF protection (server-side request forgery, where an attacker tricks a server into making requests it shouldn't) through DNS rebinding (changing what a domain name points to between two lookups). The flaw was in the image token counting feature, which validated URLs in one step and then fetched them in another, giving attackers a window to redirect requests to private networks. The actual risk is limited because stolen data cannot be extracted, though attackers could probe whether internal services exist.
Solution / Mitigation
Upgrade to `langchain-openai` version 1.1.14 or later (which requires `langchain-core` >= 1.2.31). The fix replaces the separate validation and fetch steps with an SSRF-safe httpx transport that resolves DNS once, validates all returned IPs against private/internal ranges in a single operation, pins the connection to the validated IP, and disables redirect following.
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-r7w7-9xr2-qq2r
First tracked: April 16, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 92%