{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-12T09:50:29.473","vulnerabilities":[{"cve":{"id":"CVE-2026-27795","sourceIdentifier":"security-advisories@github.com","published":"2026-02-25T18:23:41.153","lastModified":"2026-04-13T14:15:35.920","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"LangChain is a framework for building LLM-powered applications. Prior to version 1.1.8, a redirect-based Server-Side Request Forgery (SSRF) bypass exists in `RecursiveUrlLoader` in `@langchain/community`. The loader validates the initial URL but allows the underlying fetch to follow redirects automatically, which permits a transition from a safe public URL to an internal or metadata endpoint without revalidation. This is a bypass of the SSRF protections introduced in 1.1.14 (CVE-2026-26019). Users should upgrade to `@langchain/community` 1.1.18, which validates every redirect hop by disabling automatic redirects and re-validating `Location` targets before following them. In this version, automatic redirects are disabled (`redirect: \"manual\"`), each 3xx `Location` is resolved and validated with `validateSafeUrl()` before the next request, and a maximum redirect limit prevents infinite loops."},{"lang":"es","value":"LangChain es un framework para construir aplicaciones impulsadas por LLM. Antes de la versión 1.1.8, existe una omisión de falsificación de petición del lado del servidor (SSRF) basada en redirección en `RecursiveUrlLoader` en `@langchain/community`. El cargador valida la URL inicial, pero permite que la recuperación subyacente siga las redirecciones automáticamente, lo que permite una transición de una URL pública segura a un endpoint interno o de metadatos sin revalidación. Esto es una omisión de las protecciones de SSRF introducidas en 1.1.14 (CVE-2026-26019). Los usuarios deben actualizar a `@langchain/community` 1.1.18, que valida cada salto de redirección deshabilitando las redirecciones automáticas y revalidando los objetivos de `Location` antes de seguirlos. En esta versión, las redirecciones automáticas están deshabilitadas (`redirect: 'manual'`), cada `Location` 3xx se resuelve y valida con `validateSafeUrl()` antes de la siguiente petición, y un límite máximo de redirecciones evita bucles infinitos."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N","baseScore":4.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.3,"impactScore":1.4},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N","baseScore":7.4,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":4.0}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-918"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:langchain:langchain_community:*:*:*:*:*:node.js:*:*","versionEndExcluding":"1.1.18","matchCriteriaId":"82E0218B-5EC7-4779-9F3F-FF40F63DEA54"}]}]}],"references":[{"url":"https://github.com/langchain-ai/langchainjs/commit/2812d2b2b9fd9343c4850e2ab906b8cf440975ee","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/langchain-ai/langchainjs/commit/d5e3db0d01ab321ec70a875805b2f74aefdadf9d","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/langchain-ai/langchainjs/pull/9990","source":"security-advisories@github.com","tags":["Issue Tracking"]},{"url":"https://github.com/langchain-ai/langchainjs/releases/tag/%40langchain%2Fcommunity%401.1.14","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/langchain-ai/langchainjs/releases/tag/%40langchain%2Fcommunity%401.1.18","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/langchain-ai/langchainjs/security/advisories/GHSA-gf3v-fwqg-4vh7","source":"security-advisories@github.com","tags":["Not Applicable"]},{"url":"https://github.com/langchain-ai/langchainjs/security/advisories/GHSA-mphv-75cg-56wg","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}}]}