CVE-2024-3095 — HIGH (CVSS 7.7) AI Security Vulnerability

CISO Take

LangChain's Web Research Retriever makes unrestricted outbound requests, letting low-privilege attackers reach internal services and cloud metadata endpoints (AWS IMDS, GCP metadata) to steal IAM credentials. Any production LangChain deployment using this component should be patched immediately; cloud-hosted instances without IMDSv2 enforcement are at highest risk. Until patched, disable the component or enforce strict egress firewall rules blocking RFC-1918 and link-local ranges.

Risk Assessment

High exploitability: network-reachable, low complexity, low privileges, no user interaction required. The Changed scope (S:C) reflects that the blast radius extends beyond LangChain itself into adjacent internal infrastructure. Cloud environments without IMDSv2 enforcement face credential theft leading to full account compromise. On-prem deployments face internal service enumeration and potential interaction with unauthenticated internal APIs. LangChain is widely deployed in enterprise AI pipelines, making the attack surface broad.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
langchain	pip	—	No patch
135.7K OpenSSF 6.5 2.6K dependents Pushed 7d ago 17% patched ~256d to patch Full package profile →

Do you use langchain? You're affected.

Severity & Risk

CVSS 3.1

7.7 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 37% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR Low

UI None

S Changed

C High

I None

A None

Recommended Action

6 steps

PATCH

Upgrade langchain to a version beyond 0.1.5 that restricts Web Research Retriever to public addresses. Check langchain-ai/langchain release notes for the fix commit.
NETWORK CONTROLS (immediate workaround): Block egress from LangChain application hosts to RFC-1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), loopback (127.0.0.0/8), and link-local (169.254.0.0/16) at the firewall or security group level.
CLOUD HARDENING

Enforce IMDSv2 (token-required mode) on all EC2 instances running LangChain to block SSRF-based metadata theft. On GCP, restrict metadata server access to the instance itself.
LEAST PRIVILEGE

Ensure LangChain application IAM roles follow least privilege — credential theft via SSRF is only impactful if the role has broad permissions.
DISABLE IF UNUSED

If Web Research Retriever is not required, remove it from the dependency injection configuration.
DETECTION

Alert on outbound GET requests from LangChain hosts to 169.254.169.254, metadata.google.internal, or internal RFC-1918 ranges. Monitor for unusual IAM activity following any suspicious requests.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Auth Bypass Framework Agent RAG AML.T0006 - Active Scanning AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0075 - Cloud Service Discovery

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - Information security in AI system development

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain AI risk response activities

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2024-3095?

LangChain's Web Research Retriever makes unrestricted outbound requests, letting low-privilege attackers reach internal services and cloud metadata endpoints (AWS IMDS, GCP metadata) to steal IAM credentials. Any production LangChain deployment using this component should be patched immediately; cloud-hosted instances without IMDSv2 enforcement are at highest risk. Until patched, disable the component or enforce strict egress firewall rules blocking RFC-1918 and link-local ranges.

Is CVE-2024-3095 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-3095, increasing the risk of exploitation.

How to fix CVE-2024-3095?

1. PATCH: Upgrade langchain to a version beyond 0.1.5 that restricts Web Research Retriever to public addresses. Check langchain-ai/langchain release notes for the fix commit. 2. NETWORK CONTROLS (immediate workaround): Block egress from LangChain application hosts to RFC-1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), loopback (127.0.0.0/8), and link-local (169.254.0.0/16) at the firewall or security group level. 3. CLOUD HARDENING: Enforce IMDSv2 (token-required mode) on all EC2 instances running LangChain to block SSRF-based metadata theft. On GCP, restrict metadata server access to the instance itself. 4. LEAST PRIVILEGE: Ensure LangChain application IAM roles follow least privilege — credential theft via SSRF is only impactful if the role has broad permissions. 5. DISABLE IF UNUSED: If Web Research Retriever is not required, remove it from the dependency injection configuration. 6. DETECTION: Alert on outbound GET requests from LangChain hosts to 169.254.169.254, metadata.google.internal, or internal RFC-1918 ranges. Monitor for unusual IAM activity following any suspicious requests.

What systems are affected by CVE-2024-3095?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, agent frameworks, LLM application backends.

What is the CVSS score for CVE-2024-3095?

CVE-2024-3095 has a CVSS v3.1 base score of 7.7 (HIGH). The EPSS exploitation probability is 0.16%.

Technical Details

NVD Description

A Server-Side Request Forgery (SSRF) vulnerability exists in the Web Research Retriever component of langchain-ai/langchain version 0.1.5. The vulnerability arises because the Web Research Retriever does not restrict requests to remote internet addresses, allowing it to reach local addresses. This flaw enables attackers to execute port scans, access local services, and in some scenarios, read instance metadata from cloud environments. The vulnerability is particularly concerning as it can be exploited to abuse the Web Explorer server as a proxy for web attacks on third parties and interact with servers in the local network, including reading their response data. This could potentially lead to arbitrary code execution, depending on the nature of the local services. The vulnerability is limited to GET requests, as POST requests are not possible, but the impact on confidentiality, integrity, and availability is significant due to the potential for stolen credentials and state-changing interactions with internal APIs.

Exploitation Scenario

An attacker with a low-privilege account (e.g., a trial SaaS user or a developer with API key access) submits a crafted research query to a LangChain-powered RAG pipeline that uses Web Research Retriever. The retriever fetches http://169.254.169.254/latest/meta-data/iam/security-credentials/ on the underlying EC2 instance, returning temporary AWS access keys, secret keys, and session tokens. The attacker exfiltrates these credentials and uses them to access S3 buckets containing training data, model weights, or customer data. Alternatively, the attacker enumerates internal services by iterating over common ports (8080, 9200, 6379) on private IP ranges, discovers an unauthenticated Elasticsearch instance, and exfiltrates indexed documents via GET requests — all tunneled through the LangChain server without direct network access.