AI Threat Alert

CVE-2023-46229: LangChain: SSRF in URL loader exposes internal network

HIGH ACTIVELY EXPLOITED PoC AVAILABLE
Published October 19, 2023
CISO Take

LangChain's RecursiveURLLoader follows redirects from external to internal addresses, enabling attackers to reach cloud metadata services (AWS IMDS at 169.254.169.254), internal APIs, and credential stores. Any RAG pipeline or agent deployment that processes user-supplied or untrusted URLs via document loaders is exposed. Upgrade to LangChain 0.0.317+ immediately and enforce network-level blocks on RFC 1918 and link-local ranges for LangChain hosts.

What is the risk?

High risk (CVSS 8.8). Attack complexity is low and no privileges are required — an attacker only needs to supply a URL that triggers a redirect to an internal target. The 'UI:Required' reflects that a user or automated pipeline must invoke the loader, which in practice is the default operating mode for RAG ingestion jobs and AI agents. The primary escalation path is cloud credential theft via metadata services, which can result in full cloud account takeover. LangChain's ubiquity across AI/ML deployments significantly amplifies blast radius.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
LangChain pip No patch
139.8K OpenSSF 5.9 2.7K dependents Pushed 3d ago 24% patched ~156d to patch Full package profile →

Do you use LangChain? You're affected.

How severe is it?

CVSS 3.1
8.8 / 10
EPSS
44.7%
chance of exploitation in 30 days
Higher than 99% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Actively Exploited
Sophistication
Trivial
Exploitation Confidence
high
CISA KEV (active exploitation confirmed)
Public PoC indexed (trickest/cve)
EPSS exploit prediction: 45%
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI Required
S Unchanged
C High
I High
A High

What should I do?

5 steps

  1. PATCH

    Upgrade LangChain to >= 0.0.317 immediately (commit 9ecb724 addresses this).

  2. NETWORK CONTROL

    Block outbound HTTP/S from LangChain processes to RFC 1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and link-local (169.254.0.0/16) ranges at the firewall or security group level.

  3. INPUT VALIDATION

    If patching is delayed, implement a domain allowlist for all inputs to RecursiveURLLoader — reject any URL not on the allowlist before instantiating the loader.

  4. CLOUD HARDENING

    Enable IMDSv2 (AWS), disable legacy IMDS, and apply equivalent protections on GCP/Azure to limit credential exposure via SSRF.

  5. DETECTION

    Alert on HTTP requests from LangChain processes to private IP ranges, metadata service IPs, or internal hostnames; review application logs for unexpected content in loader outputs.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Auth Bypass Framework RAG AML.T0010.001 AML.T0025 AML.T0037 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, Robustness and Cybersecurity
ISO 42001
A.9.3 - AI System Security
NIST AI RMF
MANAGE-2.2 - Manage AI Risk Responses
OWASP LLM Top 10
LLM05 - Supply Chain Vulnerabilities LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2023-46229?

LangChain's RecursiveURLLoader follows redirects from external to internal addresses, enabling attackers to reach cloud metadata services (AWS IMDS at 169.254.169.254), internal APIs, and credential stores. Any RAG pipeline or agent deployment that processes user-supplied or untrusted URLs via document loaders is exposed. Upgrade to LangChain 0.0.317+ immediately and enforce network-level blocks on RFC 1918 and link-local ranges for LangChain hosts.

Is CVE-2023-46229 actively exploited?

Yes, CVE-2023-46229 is confirmed actively exploited and listed in CISA Known Exploited Vulnerabilities catalog.

How to fix CVE-2023-46229?

1. PATCH: Upgrade LangChain to >= 0.0.317 immediately (commit 9ecb724 addresses this). 2. NETWORK CONTROL: Block outbound HTTP/S from LangChain processes to RFC 1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and link-local (169.254.0.0/16) ranges at the firewall or security group level. 3. INPUT VALIDATION: If patching is delayed, implement a domain allowlist for all inputs to RecursiveURLLoader — reject any URL not on the allowlist before instantiating the loader. 4. CLOUD HARDENING: Enable IMDSv2 (AWS), disable legacy IMDS, and apply equivalent protections on GCP/Azure to limit credential exposure via SSRF. 5. DETECTION: Alert on HTTP requests from LangChain processes to private IP ranges, metadata service IPs, or internal hostnames; review application logs for unexpected content in loader outputs.

What systems are affected by CVE-2023-46229?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, agent frameworks, document processing pipelines, LLM application frameworks, knowledge base ingestion pipelines.

What is the CVSS score for CVE-2023-46229?

CVE-2023-46229 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 44.71%.

What is the AI security impact?

Affected AI Architectures

RAG pipelinesagent frameworksdocument processing pipelinesLLM application frameworksknowledge base ingestion pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0025 Exfiltration via Cyber Means
AML.T0037 Data from Local System
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 15
ISO 42001: A.9.3
NIST AI RMF: MANAGE-2.2
OWASP LLM Top 10: LLM05, LLM07

What are the technical details?

Original Advisory

LangChain before 0.0.317 allows SSRF via document_loaders/recursive_url_loader.py because crawling can proceed from an external server to an internal server.

Exploitation Scenario

An attacker controls an external web server at attacker-site.com. They submit this URL as a document source to a LangChain-based RAG pipeline that indexes web content for a corporate AI assistant. When RecursiveURLLoader crawls attacker-site.com, the server responds with HTTP 301 redirecting to http://169.254.169.254/latest/meta-data/iam/security-credentials/MyRole. LangChain follows the redirect and fetches the AWS IAM temporary credentials. The attacker extracts these from the indexed content, application logs, or error messages, then uses them to access the organization's S3 buckets containing training data, model weights, and proprietary documents — or to pivot into the broader AWS environment.

Weaknesses (CWE)

CWE-918 Server-Side Request Forgery (SSRF) Primary

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Timeline

Published
October 19, 2023
Last Modified
November 21, 2024
First Seen
October 19, 2023

Related Vulnerabilities

CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same package: langchain
CRITICAL CVE-2023-34540 9.8

LangChain: RCE via JiraAPIWrapper crafted input

Same package: langchain
CRITICAL CVE-2023-29374 9.8

LangChain: RCE via prompt injection in LLMMathChain

Same package: langchain
CRITICAL CVE-2023-34541 9.8

LangChain: RCE via unsafe load_prompt deserialization

Same package: langchain
CRITICAL CVE-2023-36258 9.8

LangChain: unauthenticated RCE via code injection

Same package: langchain
Back to Threat Feed