Server-Side Request Forgery Vulnerability in Langchain Community by Langchain AI
CVE-2025-2828

10CRITICAL

Key Information:

Vendor: Langchain-ai
Status: Langchain-ai/langchain
Vendor: CVE Published:; 23 June 2025

🔔 Create Langchain-ai Vulnerability Alert

What is CVE-2025-2828?

A Server-Side Request Forgery (SSRF) vulnerability exists in the RequestsToolkit component of the langchain-community package. This vulnerability arises from insufficient restrictions on requests to external internet addresses, inadvertently allowing access to local addresses. An attacker could exploit this flaw to conduct port scanning, gain access to local services, obtain instance metadata from cloud providers like Azure and AWS, and interact with servers on the internal network. The issue has been addressed in version 0.0.28 of the langchain-community package.

Affected Version(s)

langchain-ai/langchain < 0.0.28

References

https://huntr.com/bounties/8f771040-7f34-420a-b96b-5b93d4...

https://github.com/langchain-ai/langchain/commit/e188d4ec...

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

CVSS V3.0

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2025
Vulnerability Reserved
Mar 26, 2025

JSON