GHSA-R7W7-9XR2-QQ2R
Vulnerability from github – Published: 2026-04-16 23:00 – Updated: 2026-04-16 23:00Summary
langchain-openai's _url_to_size() helper (used by get_num_tokens_from_messages for image token counting) validated URLs for SSRF protection and then fetched them in a separate network operation with independent DNS resolution. This left a TOCTOU / DNS rebinding window: an attacker-controlled hostname could resolve to a public IP during validation and then to a private/localhost IP during the actual fetch.
The practical impact is limited because the fetched response body is passed directly to Pillow's Image.open() to extract dimensions — the response content is never returned, logged, or otherwise exposed to the caller. An attacker cannot exfiltrate data from internal services through this path. A potential risk is blind probing (inferring whether an internal host/port is open based on timing or error behavior).
Affected versions
langchain-openai< 1.1.14
Patched versions
langchain-openai>= 1.1.14 (requireslangchain-core>= 1.2.31)
Affected code
File: libs/partners/openai/langchain_openai/chat_models/base.py — _url_to_size()
The vulnerable pattern was a validate-then-fetch with separate DNS resolution:
validate_safe_url(image_source, allow_private=False, allow_http=True)
# ... separate network operation with independent DNS resolution ...
response = httpx.get(image_source, timeout=timeout)
Fix
The fix replaces the validate-then-fetch pattern with an SSRF-safe httpx transport (SSRFSafeSyncTransport from langchain-core) that:
- Resolves DNS once and validates all returned IPs against a policy (private ranges, cloud metadata, localhost, k8s internal DNS)
- Pins the connection to the validated IP, eliminating the DNS rebinding window
- Disables redirect following to prevent redirect-based SSRF bypasses
This fix was released in langchain-openai 1.1.14.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "langchain-openai"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.14"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-16T23:00:12Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "## Summary\n\n`langchain-openai`\u0027s `_url_to_size()` helper (used by `get_num_tokens_from_messages` for image token counting) validated URLs for SSRF protection and then fetched them in a separate network operation with independent DNS resolution. This left a TOCTOU / DNS rebinding window: an attacker-controlled hostname could resolve to a public IP during validation and then to a private/localhost IP during the actual fetch.\n\nThe practical impact is limited because the fetched response body is passed directly to Pillow\u0027s `Image.open()` to extract dimensions \u2014 the response content is never returned, logged, or otherwise exposed to the caller. An attacker cannot exfiltrate data from internal services through this path. A potential risk is blind probing (inferring whether an internal host/port is open based on timing or error behavior).\n\n## Affected versions\n\n- `langchain-openai` \u003c 1.1.14\n\n## Patched versions\n\n- `langchain-openai` \u003e= 1.1.14 (requires `langchain-core` \u003e= 1.2.31)\n\n## Affected code\n\n**File:** `libs/partners/openai/langchain_openai/chat_models/base.py` \u2014 `_url_to_size()`\n\nThe vulnerable pattern was a validate-then-fetch with separate DNS resolution:\n\n```python\nvalidate_safe_url(image_source, allow_private=False, allow_http=True)\n# ... separate network operation with independent DNS resolution ...\nresponse = httpx.get(image_source, timeout=timeout)\n```\n\n## Fix\n\nThe fix replaces the validate-then-fetch pattern with an SSRF-safe httpx transport (`SSRFSafeSyncTransport` from `langchain-core`) that:\n\n- Resolves DNS once and validates all returned IPs against a policy (private ranges, cloud metadata, localhost, k8s internal DNS)\n- Pins the connection to the validated IP, eliminating the DNS rebinding window\n- Disables redirect following to prevent redirect-based SSRF bypasses\n\nThis fix was released in langchain-openai 1.1.14.",
"id": "GHSA-r7w7-9xr2-qq2r",
"modified": "2026-04-16T23:00:12Z",
"published": "2026-04-16T23:00:12Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-r7w7-9xr2-qq2r"
},
{
"type": "PACKAGE",
"url": "https://github.com/langchain-ai/langchain"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "langchain-openai: Image token counting SSRF protection can be bypassed via DNS rebinding"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.