CVE-2023-46229 — HIGH (CVSS 8.8) AI Security Vulnerability

CISO Take

LangChain's RecursiveURLLoader follows redirects from external to internal addresses, enabling attackers to reach cloud metadata services (AWS IMDS at 169.254.169.254), internal APIs, and credential stores. Any RAG pipeline or agent deployment that processes user-supplied or untrusted URLs via document loaders is exposed. Upgrade to LangChain 0.0.317+ immediately and enforce network-level blocks on RFC 1918 and link-local ranges for LangChain hosts.

Risk Assessment

High risk (CVSS 8.8). Attack complexity is low and no privileges are required — an attacker only needs to supply a URL that triggers a redirect to an internal target. The 'UI:Required' reflects that a user or automated pipeline must invoke the loader, which in practice is the default operating mode for RAG ingestion jobs and AI agents. The primary escalation path is cloud credential theft via metadata services, which can result in full cloud account takeover. LangChain's ubiquity across AI/ML deployments significantly amplifies blast radius.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
langchain	pip	—	No patch
135.7K OpenSSF 6.5 2.6K dependents Pushed 7d ago 17% patched ~256d to patch Full package profile →

Do you use langchain? You're affected.

Severity & Risk

CVSS 3.1

8.8 / 10

EPSS

1.8%

chance of exploitation in 30 days

Higher than 83% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Actively Exploited

Sophistication

Trivial

Exploitation Confidence

high

✓ CISA KEV (active exploitation confirmed)

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI Required

S Unchanged

C High

I High

A High

Recommended Action

5 steps

PATCH

Upgrade LangChain to >= 0.0.317 immediately (commit 9ecb724 addresses this).
NETWORK CONTROL

Block outbound HTTP/S from LangChain processes to RFC 1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and link-local (169.254.0.0/16) ranges at the firewall or security group level.
INPUT VALIDATION

If patching is delayed, implement a domain allowlist for all inputs to RecursiveURLLoader — reject any URL not on the allowlist before instantiating the loader.
CLOUD HARDENING

Enable IMDSv2 (AWS), disable legacy IMDS, and apply equivalent protections on GCP/Azure to limit credential exposure via SSRF.
DETECTION

Alert on HTTP requests from LangChain processes to private IP ranges, metadata service IPs, or internal hostnames; review application logs for unexpected content in loader outputs.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Auth Bypass Framework RAG AML.T0010.001 - AI Software AML.T0025 - Exfiltration via Cyber Means AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.9.3 - AI System Security

NIST AI RMF

MANAGE-2.2 - Manage AI Risk Responses

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2023-46229?

LangChain's RecursiveURLLoader follows redirects from external to internal addresses, enabling attackers to reach cloud metadata services (AWS IMDS at 169.254.169.254), internal APIs, and credential stores. Any RAG pipeline or agent deployment that processes user-supplied or untrusted URLs via document loaders is exposed. Upgrade to LangChain 0.0.317+ immediately and enforce network-level blocks on RFC 1918 and link-local ranges for LangChain hosts.

Is CVE-2023-46229 actively exploited?

Yes, CVE-2023-46229 is confirmed actively exploited and listed in CISA Known Exploited Vulnerabilities catalog.

How to fix CVE-2023-46229?

1. PATCH: Upgrade LangChain to >= 0.0.317 immediately (commit 9ecb724 addresses this). 2. NETWORK CONTROL: Block outbound HTTP/S from LangChain processes to RFC 1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and link-local (169.254.0.0/16) ranges at the firewall or security group level. 3. INPUT VALIDATION: If patching is delayed, implement a domain allowlist for all inputs to RecursiveURLLoader — reject any URL not on the allowlist before instantiating the loader. 4. CLOUD HARDENING: Enable IMDSv2 (AWS), disable legacy IMDS, and apply equivalent protections on GCP/Azure to limit credential exposure via SSRF. 5. DETECTION: Alert on HTTP requests from LangChain processes to private IP ranges, metadata service IPs, or internal hostnames; review application logs for unexpected content in loader outputs.

What systems are affected by CVE-2023-46229?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, agent frameworks, document processing pipelines, LLM application frameworks, knowledge base ingestion pipelines.

What is the CVSS score for CVE-2023-46229?

CVE-2023-46229 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 1.75%.

Technical Details

NVD Description

LangChain before 0.0.317 allows SSRF via document_loaders/recursive_url_loader.py because crawling can proceed from an external server to an internal server.

Exploitation Scenario

An attacker controls an external web server at attacker-site.com. They submit this URL as a document source to a LangChain-based RAG pipeline that indexes web content for a corporate AI assistant. When RecursiveURLLoader crawls attacker-site.com, the server responds with HTTP 301 redirecting to http://169.254.169.254/latest/meta-data/iam/security-credentials/MyRole. LangChain follows the redirect and fetches the AWS IAM temporary credentials. The attacker extracts these from the indexed content, application logs, or error messages, then uses them to access the organization's S3 buckets containing training data, model weights, and proprietary documents — or to pivot into the broader AWS environment.