GHSA-gf3v-fwqg-4vh7: @langchain/community affected by SSRF Bypass in RecursiveUrlLoader via insufficient URL origin validation
Summary
The RecursiveUrlLoader class in @langchain/community had an SSRF vulnerability due to insufficient URL validation. It used String.startsWith() for URL comparison, allowing attackers to bypass the preventOutside option with domain prefix tricks (e.g., example.com.attacker.com), and had no validation against private/reserved IP addresses, enabling access to cloud metadata services and internal infrastructure.
Solution / Mitigation
Two changes were made: 1) The startsWith check was replaced with strict origin comparison using the URL API (new URL(link).origin === new URL(baseUrl).origin) to prevent subdomain-based bypasses. 2) A new URL validation module (@langchain/core/utils/ssrf) was introduced that blocks requests to cloud metadata endpoints (169.254.169.254, metadata.google.internal, etc.), private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8, etc.), IPv6 equivalents (::1, fc00::/7, fe80::/10), and non-HTTP/HTTPS schemes. As a workaround for users who cannot upgrade immediately: avoid using RecursiveUrlLoader on untrusted or user-influenced content, or run the crawler in a network environment without access to cloud metadata or internal services.
Original source: https://github.com/advisories/GHSA-gf3v-fwqg-4vh7
First tracked: February 11, 2026 at 06:00 PM