AI Threat Alert

CVE-2024-3095: LangChain: SSRF in Web Retriever exposes cloud metadata

HIGH PoC AVAILABLE CISA: TRACK*
Published June 6, 2024
CISO Take

LangChain's Web Research Retriever makes unrestricted outbound requests, letting low-privilege attackers reach internal services and cloud metadata endpoints (AWS IMDS, GCP metadata) to steal IAM credentials. Any production LangChain deployment using this component should be patched immediately; cloud-hosted instances without IMDSv2 enforcement are at highest risk. Until patched, disable the component or enforce strict egress firewall rules blocking RFC-1918 and link-local ranges.

What is the risk?

High exploitability: network-reachable, low complexity, low privileges, no user interaction required. The Changed scope (S:C) reflects that the blast radius extends beyond LangChain itself into adjacent internal infrastructure. Cloud environments without IMDSv2 enforcement face credential theft leading to full account compromise. On-prem deployments face internal service enumeration and potential interaction with unauthenticated internal APIs. LangChain is widely deployed in enterprise AI pipelines, making the attack surface broad.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
LangChain pip No patch
139.8K OpenSSF 5.9 2.7K dependents Pushed 2d ago 24% patched ~156d to patch Full package profile →

Do you use LangChain? You're affected.

How severe is it?

CVSS 3.1
7.7 / 10
EPSS
0.7%
chance of exploitation in 30 days
Higher than 48% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Changed
C High
I None
A None

What should I do?

6 steps

  1. PATCH

    Upgrade langchain to a version beyond 0.1.5 that restricts Web Research Retriever to public addresses. Check langchain-ai/langchain release notes for the fix commit.

  2. NETWORK CONTROLS (immediate workaround): Block egress from LangChain application hosts to RFC-1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), loopback (127.0.0.0/8), and link-local (169.254.0.0/16) at the firewall or security group level.

  3. CLOUD HARDENING

    Enforce IMDSv2 (token-required mode) on all EC2 instances running LangChain to block SSRF-based metadata theft. On GCP, restrict metadata server access to the instance itself.

  4. LEAST PRIVILEGE

    Ensure LangChain application IAM roles follow least privilege — credential theft via SSRF is only impactful if the role has broad permissions.

  5. DISABLE IF UNUSED

    If Web Research Retriever is not required, remove it from the dependency injection configuration.

  6. DETECTION

    Alert on outbound GET requests from LangChain hosts to 169.254.169.254, metadata.google.internal, or internal RFC-1918 ranges. Monitor for unusual IAM activity following any suspicious requests.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Auth Bypass Framework Agent RAG AML.T0006 AML.T0049 AML.T0053 AML.T0075

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.6 - Information security in AI system development
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain AI risk response activities
OWASP LLM Top 10
LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2024-3095?

LangChain's Web Research Retriever makes unrestricted outbound requests, letting low-privilege attackers reach internal services and cloud metadata endpoints (AWS IMDS, GCP metadata) to steal IAM credentials. Any production LangChain deployment using this component should be patched immediately; cloud-hosted instances without IMDSv2 enforcement are at highest risk. Until patched, disable the component or enforce strict egress firewall rules blocking RFC-1918 and link-local ranges.

Is CVE-2024-3095 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-3095, increasing the risk of exploitation.

How to fix CVE-2024-3095?

1. PATCH: Upgrade langchain to a version beyond 0.1.5 that restricts Web Research Retriever to public addresses. Check langchain-ai/langchain release notes for the fix commit. 2. NETWORK CONTROLS (immediate workaround): Block egress from LangChain application hosts to RFC-1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), loopback (127.0.0.0/8), and link-local (169.254.0.0/16) at the firewall or security group level. 3. CLOUD HARDENING: Enforce IMDSv2 (token-required mode) on all EC2 instances running LangChain to block SSRF-based metadata theft. On GCP, restrict metadata server access to the instance itself. 4. LEAST PRIVILEGE: Ensure LangChain application IAM roles follow least privilege — credential theft via SSRF is only impactful if the role has broad permissions. 5. DISABLE IF UNUSED: If Web Research Retriever is not required, remove it from the dependency injection configuration. 6. DETECTION: Alert on outbound GET requests from LangChain hosts to 169.254.169.254, metadata.google.internal, or internal RFC-1918 ranges. Monitor for unusual IAM activity following any suspicious requests.

What systems are affected by CVE-2024-3095?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, agent frameworks, LLM application backends.

What is the CVSS score for CVE-2024-3095?

CVE-2024-3095 has a CVSS v3.1 base score of 7.7 (HIGH). The EPSS exploitation probability is 0.69%.

What is the AI security impact?

Affected AI Architectures

RAG pipelinesagent frameworksLLM application backends

MITRE ATLAS Techniques

AML.T0006 Active Scanning
AML.T0049 Exploit Public-Facing Application
AML.T0053 AI Agent Tool Invocation
AML.T0075 Cloud Service Discovery

Compliance Controls Affected

EU AI Act: Art. 15
ISO 42001: A.6.2.6
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

A Server-Side Request Forgery (SSRF) vulnerability exists in the Web Research Retriever component of langchain-ai/langchain version 0.1.5. The vulnerability arises because the Web Research Retriever does not restrict requests to remote internet addresses, allowing it to reach local addresses. This flaw enables attackers to execute port scans, access local services, and in some scenarios, read instance metadata from cloud environments. The vulnerability is particularly concerning as it can be exploited to abuse the Web Explorer server as a proxy for web attacks on third parties and interact with servers in the local network, including reading their response data. This could potentially lead to arbitrary code execution, depending on the nature of the local services. The vulnerability is limited to GET requests, as POST requests are not possible, but the impact on confidentiality, integrity, and availability is significant due to the potential for stolen credentials and state-changing interactions with internal APIs.

Exploitation Scenario

An attacker with a low-privilege account (e.g., a trial SaaS user or a developer with API key access) submits a crafted research query to a LangChain-powered RAG pipeline that uses Web Research Retriever. The retriever fetches http://169.254.169.254/latest/meta-data/iam/security-credentials/ on the underlying EC2 instance, returning temporary AWS access keys, secret keys, and session tokens. The attacker exfiltrates these credentials and uses them to access S3 buckets containing training data, model weights, or customer data. Alternatively, the attacker enumerates internal services by iterating over common ports (8080, 9200, 6379) on private IP ranges, discovers an unauthenticated Elasticsearch instance, and exfiltrates indexed documents via GET requests — all tunneled through the LangChain server without direct network access.

Weaknesses (CWE)

CWE-918 Server-Side Request Forgery (SSRF)

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

References

Timeline

Published
June 6, 2024
Last Modified
November 21, 2024
First Seen
June 6, 2024

Related Vulnerabilities

CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same package: langchain
CRITICAL CVE-2023-34540 9.8

LangChain: RCE via JiraAPIWrapper crafted input

Same package: langchain
CRITICAL CVE-2023-29374 9.8

LangChain: RCE via prompt injection in LLMMathChain

Same package: langchain
CRITICAL CVE-2023-34541 9.8

LangChain: RCE via unsafe load_prompt deserialization

Same package: langchain
CRITICAL CVE-2023-36258 9.8

LangChain: unauthenticated RCE via code injection

Same package: langchain
Back to Threat Feed