Skip to content

fix(deps): update langchain-core to v1 [security]#657

Closed
utic-renovate[bot] wants to merge 1 commit into
mainfrom
renovate/pypi-langchain-core-vulnerability
Closed

fix(deps): update langchain-core to v1 [security]#657
utic-renovate[bot] wants to merge 1 commit into
mainfrom
renovate/pypi-langchain-core-vulnerability

Conversation

@utic-renovate

@utic-renovate utic-renovate Bot commented Mar 3, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change OpenSSF
langchain-core (changelog) project.optional-dependencies major >=0.3.81,<1.0.0>=1.2.11,<1.3.0 OpenSSF Scorecard

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2026-26013

Server-Side Request Forgery (SSRF) in ChatOpenAI Image Token Counting

Summary

The ChatOpenAI.get_num_tokens_from_messages() method fetches arbitrary image_url values without validation when computing token counts for vision-enabled models. This allows attackers to trigger Server-Side Request Forgery (SSRF) attacks by providing malicious image URLs in user input.

Severity

Low - The vulnerability allows SSRF attacks but has limited impact due to:

  • Responses are not returned to the attacker (blind SSRF)
  • Default 5-second timeout limits resource exhaustion
  • Non-image responses fail at PIL image parsing

Impact

An attacker who can control image URLs passed to get_num_tokens_from_messages() can:

  • Trigger HTTP requests from the application server to arbitrary internal or external URLs
  • Cause the server to access internal network resources (private IPs, cloud metadata endpoints)
  • Cause minor resource consumption through image downloads (bounded by timeout)

Note: This vulnerability occurs during token counting, which may happen outside of model invocation (e.g., in logging, metrics, or token budgeting flows).

Details

The vulnerable code path:

  1. get_num_tokens_from_messages() processes messages containing image_url content blocks
  2. For images without detail: "low", it calls _url_to_size() to fetch the image and compute token counts
  3. _url_to_size() performs httpx.get(image_source) on any URL without validation
  4. Prior to the patch, there was no SSRF protection, size limits, or explicit timeout

File: libs/partners/openai/langchain_openai/chat_models/base.py

Patches

The vulnerability has been patched in langchain-openai==1.1.9 (requires langchain-core==1.2.11).

The patch adds:

  1. SSRF validation using langchain_core._security._ssrf_protection.validate_safe_url() to block:
    • Private IP ranges (RFC 1918, loopback, link-local)
    • Cloud metadata endpoints (169.254.169.254, etc.)
    • Invalid URL schemes
  2. Explicit size limits (50 MB maximum, matching OpenAI's payload limit)
  3. Explicit timeout (5 seconds, same as httpx.get default)
  4. Allow disabling image fetching via allow_fetching_images=False parameter

Workarounds

If you cannot upgrade immediately:

  1. Sanitize input: Validate and filter image_url values before passing messages to token counting or model invocation
  2. Use network controls: Implement egress filtering to prevent outbound requests to private IPs

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@lawrence-u10d

Copy link
Copy Markdown
Contributor

Closing to handle dependency update separately. Branch deleted so Renovate will recreate if needed.

@lawrence-u10d lawrence-u10d deleted the renovate/pypi-langchain-core-vulnerability branch March 26, 2026 14:59
@utic-renovate

utic-renovate Bot commented Mar 26, 2026

Copy link
Copy Markdown
Contributor Author

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 1.x releases. But if you manually upgrade to 1.x then Renovate will re-enable minor and patch updates automatically.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant