Update dependency langchain-text-splitters to v1 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
langchain-text-splitters (changelog)	==0.3.8 → ==1.1.2

---

LangChain Text Splitters is vulnerable to XML External Entity (XXE) attacks due to unsafe XSLT parsing

CVE-2025-6985 / GHSA-m42m-m8cr-8m58

More information

Details

The HTMLSectionSplitter class in langchain-text-splitters is vulnerable to XML External Entity (XXE) attacks due to unsafe XSLT parsing. This vulnerability arises because the class allows the use of arbitrary XSLT stylesheets, which are parsed using lxml.etree.parse() and lxml.etree.XSLT() without any hardening measures. In lxml versions up to 4.9.x, external entities are resolved by default, allowing attackers to read arbitrary local files or perform outbound HTTP(S) fetches. In lxml versions 5.0 and above, while entity expansion is disabled, the XSLT document() function can still read any URI unless XSLTAccessControl is applied. This vulnerability allows remote attackers to gain read-only access to any file the LangChain process can reach, including sensitive files such as SSH keys, environment files, source code, or cloud metadata. No authentication, special privileges, or user interaction are required, and the issue is exploitable in default deployments that enable custom XSLT.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-6985
• https://huntr.com/bounties/cf78abbb-df3b-43de-b6ee-132b73ff8331
• https://github.com/langchain-ai/langchain/pull/31819
• https://github.com/langchain-ai/langchain/commit/43eef435505a1c907227b724c0c760ad5fc01790
• https://github.com/advisories/GHSA-m42m-m8cr-8m58

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

LangChain Text Splitters: HTMLHeaderTextSplitter.split_text_from_url SSRF Redirect Bypass

CVE-2026-41481 / GHSA-fv5p-p927-qmxr

More information

Details

Summary

HTMLHeaderTextSplitter.split_text_from_url() validated the initial URL using validate_safe_url() but then performed the fetch with requests.get() with redirects enabled (the default). Because redirect targets were not revalidated, a URL pointing to an attacker-controlled server could redirect to internal, localhost, or cloud metadata endpoints, bypassing SSRF protections.

The response body is parsed and returned as Document objects to the calling application code. Whether this constitutes a data exfiltration path depends on the application: if it exposes Document contents (or derivatives) back to the requester who supplied the URL, sensitive data from internal endpoints could be leaked. Applications that store or process Documents internally without returning raw content to the requester are not directly exposed to data exfiltration through this issue.

Affected versions

• langchain-text-splitters < 1.1.2

Patched versions

• langchain-text-splitters >= 1.1.2 (requires langchain-core >= 1.2.31)

Affected code

File: libs/text-splitters/langchain_text_splitters/html.py — split_text_from_url()

The vulnerable pattern validated the URL once then fetched with redirects enabled:

validate_safe_url(url, allow_private=False, allow_http=True)
response = requests.get(url, timeout=timeout, **kwargs)

Attack scenario

1. A developer passes external URLs to split_text_from_url(), relying on its
   built-in validate_safe_url() check to block requests to internal networks.
2. An attacker supplies a URL pointing to a public host they control. The URL
   passes validate_safe_url() (public hostname, public IP).
3. The attacker's server responds with a 302 redirect to an internal endpoint
   (e.g., an unauthenticated internal admin API, or a cloud instance metadata
   service that does not require request headers — such as AWS IMDSv1).
4. requests.get() follows the redirect automatically. The redirect target is
   not revalidated.
5. The response body is parsed and returned as Document objects to the
   application.

Notes:

• The core issue is a bypass of an explicitly provided SSRF protection.
  split_text_from_url() included validate_safe_url() specifically to be
  safe with untrusted URLs — the redirect loophole defeated that guarantee.
• Cloud metadata endpoints that require special headers (AWS IMDSv2, GCP, Azure)
  are not reachable through this bug because the attacker does not control
  request headers. AWS IMDSv1, which requires no headers, is reachable.
• Data exfiltration requires the application to return Document contents to the
  party that supplied the URL. The SSRF itself — forcing the server to issue a
  request to an internal endpoint — does not require this.

Fix

The fix replaces requests.get() with an SSRF-safe httpx transport (SSRFSafeSyncTransport from langchain-core) that validates DNS results and pins connections to validated IPs on every request, including redirect targets, eliminating redirect-based bypasses.

Additionally, split_text_from_url() has been deprecated. Users should fetch HTML content themselves and pass it to split_text() directly.

Severity

• CVSS Score: 6.5 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References

• https://github.com/langchain-ai/langchain/security/advisories/GHSA-fv5p-p927-qmxr
• https://nvd.nist.gov/vuln/detail/CVE-2026-41481
• https://github.com/advisories/GHSA-fv5p-p927-qmxr

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Configuration

📅 Schedule: (in timezone Europe/Oslo)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.