CVE-2025-2828 — CRITICAL (CVSS 10.0) AI Security Vulnerability

Q: Is CVE-2025-2828 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-2828, increasing the risk of exploitation.

Q: How to fix CVE-2025-2828?

1. PATCH: Upgrade langchain-community to ≥0.0.28 immediately — patch is available and targeted. 2. NETWORK: Block egress from agent hosts to 169.254.169.254 (IMDS), 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 via firewall/security groups — network-level defense independent of patch status. 3. AWS: Enforce IMDSv2 (require session tokens) on all EC2 instances running LangChain agents to neutralize IMDS credential theft even if SSRF succeeds. 4. AUDIT: Grep codebase for RequestsToolkit and OpenAPIToolkit instantiations; verify all are on patched version. 5. DETECT: Alert on HTTP requests to RFC-1918 or link-local (169.254.x.x) addresses originating from agent processes. 6. ISOLATE: Run LangChain agents in isolated network namespaces or VPCs with explicit egress allowlists rather than default-allow.

Q: What systems are affected by CVE-2025-2828?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, OpenAPI integration agents, LLM-powered API automation, RAG pipelines with external data fetching, cloud-hosted AI assistants.

Q: What is the CVSS score for CVE-2025-2828?

CVE-2025-2828 has a CVSS v3.1 base score of 10.0 (CRITICAL). The EPSS exploitation probability is 0.17%.

CISO Take

Any LangChain deployment using RequestsToolkit (OpenAPI agents) is exposed to CVSS 10.0 SSRF requiring zero authentication. An attacker can pivot through your agent to steal AWS/Azure instance credentials via metadata endpoints, scan internal networks, and access private services. Upgrade langchain-community to ≥0.0.28 immediately — this is a patch-now situation before your next deployment window.

Risk Assessment

CVSS 10.0 with network-accessible vector, zero authentication, no user interaction, and scope change represents maximum theoretical severity. EPSS (0.00052) reflects low current exploitation activity, but the attack is trivial to execute — no AI/ML knowledge required, just a standard SSRF payload. LangChain is widely deployed in production AI systems, and cloud-hosted agents are at highest risk due to IMDSv1 metadata exposure. Any org running LangChain OpenAPI agents should treat this as critical priority.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
langchain	pip	—	No patch
136.3K OpenSSF 6.4 2.6K dependents Pushed today 16% patched ~256d to patch Full package profile →
langchain-community	pip	< 0.0.28	`0.0.28`
136.3K OpenSSF 6.4 1.2K dependents Pushed today 80% patched ~48d to patch Full package profile →

Severity & Risk

CVSS 3.1

10.0 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 38% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Changed

C High

I High

A High

Recommended Action

6 steps

PATCH

Upgrade langchain-community to ≥0.0.28 immediately — patch is available and targeted.
NETWORK

Block egress from agent hosts to 169.254.169.254 (IMDS), 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 via firewall/security groups — network-level defense independent of patch status.
AWS

Enforce IMDSv2 (require session tokens) on all EC2 instances running LangChain agents to neutralize IMDS credential theft even if SSRF succeeds.
AUDIT

Grep codebase for RequestsToolkit and OpenAPIToolkit instantiations; verify all are on patched version.
DETECT

Alert on HTTP requests to RFC-1918 or link-local (169.254.x.x) addresses originating from agent processes.
ISOLATE

Run LangChain agents in isolated network namespaces or VPCs with explicit egress allowlists rather than default-allow.

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Auth Bypass Framework Agent AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0075 - Cloud Service Discovery AML.T0086 - Exfiltration via AI Agent Tool Invocation

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1.5 - AI risk treatment

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain treatment of identified AI risks

OWASP LLM Top 10

LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2025-2828?

Any LangChain deployment using RequestsToolkit (OpenAPI agents) is exposed to CVSS 10.0 SSRF requiring zero authentication. An attacker can pivot through your agent to steal AWS/Azure instance credentials via metadata endpoints, scan internal networks, and access private services. Upgrade langchain-community to ≥0.0.28 immediately — this is a patch-now situation before your next deployment window.

Is CVE-2025-2828 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-2828, increasing the risk of exploitation.

How to fix CVE-2025-2828?

1. PATCH: Upgrade langchain-community to ≥0.0.28 immediately — patch is available and targeted. 2. NETWORK: Block egress from agent hosts to 169.254.169.254 (IMDS), 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 via firewall/security groups — network-level defense independent of patch status. 3. AWS: Enforce IMDSv2 (require session tokens) on all EC2 instances running LangChain agents to neutralize IMDS credential theft even if SSRF succeeds. 4. AUDIT: Grep codebase for RequestsToolkit and OpenAPIToolkit instantiations; verify all are on patched version. 5. DETECT: Alert on HTTP requests to RFC-1918 or link-local (169.254.x.x) addresses originating from agent processes. 6. ISOLATE: Run LangChain agents in isolated network namespaces or VPCs with explicit egress allowlists rather than default-allow.

What systems are affected by CVE-2025-2828?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, OpenAPI integration agents, LLM-powered API automation, RAG pipelines with external data fetching, cloud-hosted AI assistants.

What is the CVSS score for CVE-2025-2828?

CVE-2025-2828 has a CVSS v3.1 base score of 10.0 (CRITICAL). The EPSS exploitation probability is 0.17%.

Technical Details

NVD Description

A Server-Side Request Forgery (SSRF) vulnerability exists in the RequestsToolkit component of the langchain-community package (specifically, langchain_community.agent_toolkits.openapi.toolkit.RequestsToolkit) in langchain-ai/langchain version 0.0.27. This vulnerability occurs because the toolkit does not enforce restrictions on requests to remote internet addresses, allowing it to also access local addresses. As a result, an attacker could exploit this flaw to perform port scans, access local services, retrieve instance metadata from cloud environments (e.g., Azure, AWS), and interact with servers on the local network. This issue has been fixed in version 0.0.28.

Exploitation Scenario

Attacker interacts with a customer-facing LangChain OpenAPI agent — such as an AI assistant with web browsing or API integration capabilities. Attacker crafts a query that causes the agent to invoke RequestsToolkit with URL http://169.254.169.254/latest/meta-data/iam/security-credentials/ (AWS IMDSv1). Since RequestsToolkit applies no URL or address filtering, it fetches the endpoint and returns temporary IAM credentials bound to the agent host's instance role. Attacker now holds valid AWS credentials potentially granting access to S3, RDS, Secrets Manager, and other services in scope of that IAM role — full cloud lateral movement from a single LLM query. No AI/ML expertise required; this is a known SSRF pattern applied to an AI agent surface.