CVE-2023-46229
published 2023-10-19CVE-2023-46229: LangChain before 0.0.317 allows SSRF via document_loaders/recursive_url_loader.py because crawling can proceed from an external server to an internal server.
PriorityP180high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
44.71%
98.6th percentile
LangChain before 0.0.317 allows SSRF via document_loaders/recursive_url_loader.py because crawling can proceed from an external server to an internal server.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| langchain | langchain | < 0.0.317 | 0.0.317 |
| langchain | langchain | >= 0 < 0.0.317 | 0.0.317 |
| langchain | langchain | >= 0 < 9ecb7240a480720ec9d739b3877a52f76098a2b8 | 9ecb7240a480720ec9d739b3877a52f76098a2b8 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect SSRF attempts via LangChain SitemapLoader: monitor for outbound HTTP requests initiated by aiohttp.ClientSession.get that traverse from external/public URLs to internal/RFC-1918 IP space, as the scrape_all method invokes _fetch without any filtering or sanitizing. ↗
- →Flag LangChain versions earlier than 0.0.317 in software inventory; the vulnerability is present in all prior versions and was patched in pull request langchain#11925 released in version 0.0.317. ↗
- →Alert on HTTP requests to intranet/internal resources (e.g., instance metadata endpoints, internal APIs) originating from a LangChain process, which may indicate exploitation of the SitemapLoader SSRF to access local services, conduct port scans, or retrieve instance metadata. ↗
- →Inspect sitemap XML documents supplied to LangChain SitemapLoader for URLs pointing to internal/private IP ranges or localhost; a malicious actor can embed intranet resource URLs in a crafted sitemap to trigger SSRF. ↗
- ·The patch for CVE-2023-46229 introduces a function called _extract_scheme_and_domain and an allowlist; defenders should verify the allowlist is properly configured to restrict crawling scope, as a misconfigured or overly permissive allowlist may still expose internal resources. ↗
- ·The SSRF vulnerability is triggered through the SitemapLoader's load method, which parses a user-supplied web_path as a sitemap XML and then fetches all URLs within it without restriction; any deployment accepting untrusted sitemap URLs is at risk on versions before 0.0.317. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
LangChain Server Side Request Forgery vulnerability
osv·2023-10-19
CVE-2023-46229 [HIGH] LangChain Server Side Request Forgery vulnerability
LangChain Server Side Request Forgery vulnerability
LangChain before 0.0.317 allows SSRF via `document_loaders/recursive_url_loader.py` because crawling can proceed from an external server to an internal server.
OSV
CVE-2023-46229: LangChain before 0
osv·2023-10-19
CVE-2023-46229 CVE-2023-46229: LangChain before 0
LangChain before 0.0.317 allows SSRF via document_loaders/recursive_url_loader.py because crawling can proceed from an external server to an internal server.
GHSA
LangChain Server Side Request Forgery vulnerability
ghsa·2023-10-19
CVE-2023-46229 [HIGH] CWE-918 LangChain Server Side Request Forgery vulnerability
LangChain Server Side Request Forgery vulnerability
LangChain before 0.0.317 allows SSRF via `document_loaders/recursive_url_loader.py` because crawling can proceed from an external server to an internal server.
VulnCheck
langchain langchain Server-Side Request Forgery (SSRF)
vulncheck·2023·CVSS 8.8
CVE-2023-46229 [HIGH] langchain langchain Server-Side Request Forgery (SSRF)
langchain langchain Server-Side Request Forgery (SSRF)
LangChain before 0.0.317 allows SSRF via document_loaders/recursive_url_loader.py because crawling can proceed from an external server to an internal server.
Affected: langchain langchain
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blog.securelayer7.net/ai-agent-frameworks/
Red Hat
langchain: langchain SSRF
vendor_redhat·2023-10-19·CVSS 8.8
CVE-2023-46229 [HIGH] CWE-918 langchain: langchain SSRF
langchain: langchain SSRF
LangChain before 0.0.317 allows SSRF via document_loaders/recursive_url_loader.py because crawling can proceed from an external server to an internal server.
A Server-Side Request Forgery (SSRF) flaw was found in the LangChain package due to a lack of restriction enforcement on specific internet addresses. This flaw could allow an attacker to access local services, conduct port scans, retrieve instance metadata, or interact with local network resources.
Statement: No Red Hat products are impacted by this vulnerability as the affected package version is not used.
Package: openshift-lightspeed/lightspeed-service-api-rhel9 (OpenShift Lightspeed) - Not affected
Package: ansible-automation-platform-24/de-minimal-rhel8 (Red Hat Ansible Automation Platform 2) - Not
No detection rules found.
No public exploits indexed.
Unit42
Vulnerabilities in LangChain Gen AI
blogs_unit42·2024-07-23·CVSS 9.8
CVE-2023-46229 [CRITICAL] Vulnerabilities in LangChain Gen AI
## Executive Summary
Researchers from Palo Alto Networks have identified two vulnerabilities in LangChain, a popular open source generative AI framework with over 81,000 stars on GitHub:
- CVE-2023-46229
- CVE-2023-44467 (LangChain experimental)
LangChain’s website states that more than one million builders use LangChain frameworks for LLM app development. Partner packages for LangChain include many of the big names in cloud, AI, databases and other tech development.
These two flaws could have allowed attackers to execute arbitrary code and access sensitive data, respectively. LangChain has since issued patches to resolve these vulnerabilities. This article provides a comprehensive technical examination of these security issues and offers guidance on mitigating similar threats in the f
Unit42
Vulnerabilities in LangChain Gen AI
blogs_unit42·2024-07-23·CVSS 9.8
CVE-2023-44467 [CRITICAL] Vulnerabilities in LangChain Gen AI
Threat Research Center
Threat Research
Vulnerabilities
## Vulnerabilities in LangChain Gen AI
Yiheng An
Haozhe Zhang
Qi Deng
Published: July 23, 2024
Threat Research
Vulnerabilities
CVE-2023-44467
CVE-2023-46229
GenAI
LangChain
LLM
## Executive Summary
Researchers from Palo Alto Networks have identified two vulnerabilities in LangChain, a popular open source generative AI framework with over 81,000 stars on GitHub:
CVE-2023-46229
CVE-2023-44467 (LangChain experimental)
LangChain’s website states that more than one million builders use LangChain frameworks for LLM app development. Partner packages for LangChain include many of the big names in cloud, AI, databases and other tech development.
These two flaws could have allowed attackers to execute arbitrary code and a
arXiv
Don't Let the Claw Grip Your Hand: A Security Analysis and Defense Framework for OpenClaw
arxiv_fulltext·2026-03-11
Don't Let the Claw Grip Your Hand: A Security Analysis and Defense Framework for OpenClaw
Don’t Let the Claw Grip Your Hand: A Security Analysis and Defense Framework for OpenClaw
Zhengyang Shan
Shandong University
[email protected]
Jiayun Xin
Shandong University
[email protected]
Yue Zhang
Shandong University
[email protected]
Minghui Xu
Shandong University
[email protected]
## Abstract
Code agents powered by large language models can execute shell commands on behalf of users, introducing severe security vulnerabilities. This paper presents a two-phase security analysis of the OpenClaw platform. As an open-source AI agent framework that operates locally, OpenClaw can be integrated with various commercial large language models. Because its native architecture lacks built-in security constraints, it serves as an ideal subject for evaluating basel
2023-10-19
Published
Exploited in the wild