CVE-2026-27795 Overview
A redirect-based Server-Side Request Forgery (SSRF) bypass vulnerability exists in the RecursiveUrlLoader component of @langchain/community, a framework for building LLM-powered applications. The loader validates the initial URL but allows the underlying fetch to follow redirects automatically, which permits a transition from a safe public URL to an internal or metadata endpoint without revalidation. This vulnerability effectively bypasses the SSRF protections introduced in version 1.1.14 (CVE-2026-26019).
Critical Impact
Attackers can leverage redirect chains to access internal services, cloud metadata endpoints, or other restricted resources that should be protected by SSRF mitigations, potentially exposing sensitive infrastructure data or enabling further attacks.
Affected Products
- @langchain/community versions prior to 1.1.18
- LangChainJS applications using RecursiveUrlLoader for web content loading
- LLM-powered applications processing user-supplied URLs through LangChain
Discovery Timeline
- February 25, 2026 - CVE-2026-27795 published to NVD
- February 25, 2026 - Last updated in NVD database
Technical Details for CVE-2026-27795
Vulnerability Analysis
This vulnerability represents an SSRF bypass that circumvents existing security controls. The RecursiveUrlLoader component properly validates the initial URL provided by users against a safelist of allowed destinations. However, the validation occurs only once at the start of the request. When the target server responds with a 3xx redirect status code (301, 302, 303, 307, or 308), the underlying fetch implementation follows the redirect automatically without re-validating the new destination URL.
This design flaw allows attackers to set up a malicious server that responds with a redirect to an internal resource. The initial URL passes validation because it points to an attacker-controlled external server, but the redirect target—such as http://169.254.169.254/ for cloud metadata or http://localhost:8080/admin—is never checked against the security policy.
Root Cause
The root cause is the lack of redirect validation in the URL fetching logic. The original implementation relied on automatic redirect following provided by the fetch API without intercepting and validating each hop in the redirect chain. This is classified under CWE-918 (Server-Side Request Forgery).
Attack Vector
An attacker can exploit this vulnerability through the network by crafting a malicious URL that initially points to an attacker-controlled server. When the RecursiveUrlLoader fetches this URL, the attacker's server responds with a redirect to a sensitive internal endpoint. Since the redirect is followed automatically without validation, the loader fetches the internal resource and potentially returns its contents to the attacker.
// Security patch introducing redirect validation constants
// Source: https://github.com/langchain-ai/langchainjs/commit/2812d2b2b9fd9343c4850e2ab906b8cf440975ee
const virtualConsole = new VirtualConsole();
virtualConsole.on("error", () => {});
+const MAX_REDIRECTS = 10;
+const REDIRECT_CODES = new Set([301, 302, 303, 307, 308]);
+
export interface RecursiveUrlLoaderOptions {
excludeDirs?: string[];
extractor?: (text: string) => string;
// Security patch importing SSRF validation utilities
// Source: https://github.com/langchain-ai/langchainjs/commit/d5e3db0d01ab321ec70a875805b2f74aefdadf9d
import { JSDOM, VirtualConsole } from "jsdom";
import { Document } from "@langchain/core/documents";
import { AsyncCaller } from "@langchain/core/utils/async_caller";
+import { isSameOrigin, validateSafeUrl } from "@langchain/core/utils/ssrf";
import {
BaseDocumentLoader,
DocumentLoader,
Detection Methods for CVE-2026-27795
Indicators of Compromise
- Outbound HTTP requests from LangChain applications to cloud metadata endpoints (e.g., 169.254.169.254, metadata.google.internal)
- Unexpected connections to internal IP ranges (10.x.x.x, 172.16.x.x-172.31.x.x, 192.168.x.x) from web-facing services
- HTTP 3xx redirect responses in logs where the initial request was to an external domain but subsequent requests target internal resources
Detection Strategies
- Monitor network traffic from LangChain application servers for connections to internal IP address ranges or cloud metadata services
- Implement egress filtering rules and alert on blocked attempts to access internal resources
- Review application logs for RecursiveUrlLoader usage patterns that involve multiple redirects
- Deploy web application firewalls (WAF) with SSRF detection capabilities to identify redirect-based bypass attempts
Monitoring Recommendations
- Enable detailed logging for all HTTP requests made by RecursiveUrlLoader, including redirect chains
- Set up alerts for any requests to cloud provider metadata endpoints from application servers
- Monitor for unusual patterns in URL loading where initial requests go to external domains followed by internal connections
- Track version information of @langchain/community packages across your application inventory
How to Mitigate CVE-2026-27795
Immediate Actions Required
- Upgrade @langchain/community to version 1.1.18 or later immediately
- Audit all applications using RecursiveUrlLoader to identify vulnerable deployments
- Implement network-level egress controls to block access to internal resources and cloud metadata endpoints from application servers
- Review and restrict URL input sources to trusted origins where possible
Patch Information
Users should upgrade to @langchain/community version 1.1.18, which validates every redirect hop by disabling automatic redirects and re-validating Location targets before following them. The fix implements three key changes:
- Automatic redirects are disabled (redirect: "manual")
- Each 3xx Location header is resolved and validated with validateSafeUrl() before the next request
- A maximum redirect limit (MAX_REDIRECTS = 10) prevents infinite loops
For detailed patch information, see the GitHub Security Advisory GHSA-gf3v-fwqg-4vh7 and Release v1.1.18.
Workarounds
- If immediate upgrade is not possible, avoid processing untrusted user-supplied URLs through RecursiveUrlLoader
- Implement a reverse proxy or network firewall rule that blocks outbound connections from application servers to internal IP ranges and cloud metadata endpoints
- Use URL allowlisting at the application level to restrict RecursiveUrlLoader to only known, trusted domains
- Consider disabling RecursiveUrlLoader functionality until the upgrade can be applied
# Update @langchain/community to patched version
npm update @langchain/community@1.1.18
# Verify installed version
npm list @langchain/community
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
