GHSA-FV5P-P927-QMXR

Vulnerability from github – Published: 2026-04-16 22:53 – Updated: 2026-04-16 22:53
VLAI?
Summary
LangChain Text Splitters: HTMLHeaderTextSplitter.split_text_from_url SSRF Redirect Bypass
Details

Summary

HTMLHeaderTextSplitter.split_text_from_url() validated the initial URL using validate_safe_url() but then performed the fetch with requests.get() with redirects enabled (the default). Because redirect targets were not revalidated, a URL pointing to an attacker-controlled server could redirect to internal, localhost, or cloud metadata endpoints, bypassing SSRF protections.

The response body is parsed and returned as Document objects to the calling application code. Whether this constitutes a data exfiltration path depends on the application: if it exposes Document contents (or derivatives) back to the requester who supplied the URL, sensitive data from internal endpoints could be leaked. Applications that store or process Documents internally without returning raw content to the requester are not directly exposed to data exfiltration through this issue.

Affected versions

  • langchain-text-splitters < 1.1.2

Patched versions

  • langchain-text-splitters >= 1.1.2 (requires langchain-core >= 1.2.31)

Affected code

File: libs/text-splitters/langchain_text_splitters/html.pysplit_text_from_url()

The vulnerable pattern validated the URL once then fetched with redirects enabled:

validate_safe_url(url, allow_private=False, allow_http=True)
response = requests.get(url, timeout=timeout, **kwargs)

Attack scenario

  1. A developer passes external URLs to split_text_from_url(), relying on its built-in validate_safe_url() check to block requests to internal networks.
  2. An attacker supplies a URL pointing to a public host they control. The URL passes validate_safe_url() (public hostname, public IP).
  3. The attacker's server responds with a 302 redirect to an internal endpoint (e.g., an unauthenticated internal admin API, or a cloud instance metadata service that does not require request headers — such as AWS IMDSv1).
  4. requests.get() follows the redirect automatically. The redirect target is not revalidated.
  5. The response body is parsed and returned as Document objects to the application.

Notes:

  • The core issue is a bypass of an explicitly provided SSRF protection. split_text_from_url() included validate_safe_url() specifically to be safe with untrusted URLs — the redirect loophole defeated that guarantee.
  • Cloud metadata endpoints that require special headers (AWS IMDSv2, GCP, Azure) are not reachable through this bug because the attacker does not control request headers. AWS IMDSv1, which requires no headers, is reachable.
  • Data exfiltration requires the application to return Document contents to the party that supplied the URL. The SSRF itself — forcing the server to issue a request to an internal endpoint — does not require this.

Fix

The fix replaces requests.get() with an SSRF-safe httpx transport (SSRFSafeSyncTransport from langchain-core) that validates DNS results and pins connections to validated IPs on every request, including redirect targets, eliminating redirect-based bypasses.

Additionally, split_text_from_url() has been deprecated. Users should fetch HTML content themselves and pass it to split_text() directly.

Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "langchain-text-splitters"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-16T22:53:32Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\n`HTMLHeaderTextSplitter.split_text_from_url()` validated the initial URL using `validate_safe_url()` but then performed the fetch with `requests.get()` with redirects enabled (the default). Because redirect targets were not revalidated, a URL pointing to an attacker-controlled server could redirect to internal, localhost, or cloud metadata endpoints, bypassing SSRF protections.\n\nThe response body is parsed and returned as `Document` objects to the calling application code. Whether this constitutes a data exfiltration path depends on the application: if it exposes Document contents (or derivatives) back to the requester who supplied the URL, sensitive data from internal endpoints could be leaked. Applications that store or process Documents internally without returning raw content to the requester are not directly exposed to data exfiltration through this issue.\n\n## Affected versions\n\n- `langchain-text-splitters` \u003c 1.1.2\n\n## Patched versions\n\n- `langchain-text-splitters` \u003e= 1.1.2 (requires `langchain-core` \u003e= 1.2.31)\n\n## Affected code\n\n**File:** `libs/text-splitters/langchain_text_splitters/html.py` \u2014 `split_text_from_url()`\n\nThe vulnerable pattern validated the URL once then fetched with redirects enabled:\n\n```python\nvalidate_safe_url(url, allow_private=False, allow_http=True)\nresponse = requests.get(url, timeout=timeout, **kwargs)\n```\n\n## Attack scenario\n\n1. A developer passes external URLs to `split_text_from_url()`, relying on its\n   built-in `validate_safe_url()` check to block requests to internal networks.\n2. An attacker supplies a URL pointing to a public host they control. The URL\n   passes `validate_safe_url()` (public hostname, public IP).\n3. The attacker\u0027s server responds with a `302` redirect to an internal endpoint\n   (e.g., an unauthenticated internal admin API, or a cloud instance metadata\n   service that does not require request headers \u2014 such as AWS IMDSv1).\n4. `requests.get()` follows the redirect automatically. The redirect target is\n   **not** revalidated.\n5. The response body is parsed and returned as `Document` objects to the\n   application.\n\n**Notes:**\n\n- The core issue is a bypass of an explicitly provided SSRF protection.\n  `split_text_from_url()` included `validate_safe_url()` specifically to be\n  safe with untrusted URLs \u2014 the redirect loophole defeated that guarantee.\n- Cloud metadata endpoints that require special headers (AWS IMDSv2, GCP, Azure)\n  are not reachable through this bug because the attacker does not control\n  request headers. AWS IMDSv1, which requires no headers, is reachable.\n- Data exfiltration requires the application to return Document contents to the\n  party that supplied the URL. The SSRF itself \u2014 forcing the server to issue a\n  request to an internal endpoint \u2014 does not require this.\n\n## Fix\n\nThe fix replaces `requests.get()` with an SSRF-safe httpx transport (`SSRFSafeSyncTransport` from `langchain-core`) that validates DNS results and pins connections to validated IPs on every request, including redirect targets, eliminating redirect-based bypasses.\n\nAdditionally, `split_text_from_url()` has been deprecated. Users should fetch HTML content themselves and pass it to `split_text()` directly.",
  "id": "GHSA-fv5p-p927-qmxr",
  "modified": "2026-04-16T22:53:32Z",
  "published": "2026-04-16T22:53:32Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-fv5p-p927-qmxr"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/langchain-ai/langchain"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "LangChain Text Splitters: HTMLHeaderTextSplitter.split_text_from_url SSRF Redirect Bypass"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.