Listen to this Post
The vulnerability exists in _url_to_size(), a helper function used by `get_num_tokens_from_messages()` to count tokens for image inputs. The function first validates a URL with `validate_safe_url(image_source, allow_private=False, allow_http=True)` to block internal/private IP addresses (SSRF protection). After validation, it performs a separate network fetch using httpx.get(image_source, timeout=timeout). Crucially, the second fetch triggers a fresh DNS resolution independent from the validation step. An attacker controlling a domain can exploit this Time-of-Check Time-of-Use (TOCTOU) race: during validation, the domain resolves to a public IP (e.g., 1.2.3.4) which passes the safety check. Immediately after, before the fetch, the attacker changes DNS to resolve to a private IP (e.g., 127.0.0.1, 192.168.1.1, or a cloud metadata address). The second fetch then connects to the internal IP, bypassing the validation. The fetched response body is passed directly to `Pillow.Image.open()` to extract image dimensions. The content is never returned to the caller, logged, or exposed – so data exfiltration is impossible. However, an attacker can perform blind probing: by measuring timing differences or error messages (e.g., connection refused vs. timeout vs. invalid image format), they can infer whether an internal host/port is open and possibly whether a service returns image-like data. The attack requires the attacker to control the image URL input to the model. Affected: langchain-openai < 1.1.14. Patched: >=1.1.14 (requires langchain-core >=1.2.31). The fix replaces validate-then-fetch with `SSRFSafeSyncTransport` (from langchain-core) that resolves DNS once, validates all returned IPs against a policy (private ranges, cloud metadata, localhost, k8s internal DNS), pins the connection, and disables redirects.
dailycve form (3 words max per line):
Platform: langchain-openai
Version: < 1.1.14
Vulnerability: DNS rebinding SSRF
Severity: Medium (limited)
date: 2025-01-15
Prediction: Patch 2025-01-20
What Undercode Say:
Check vulnerable version
pip show langchain-openai | grep Version
Simulate vulnerable DNS rebinding (conceptual)
Attacker domain: evil.com with short TTL
dig evil.com +short first returns 1.2.3.4
After validation, change to 127.0.0.1
Monitor fetch timing
time curl -x socks5h://localhost:9050 http://evil.com/image.jpg
Test blind probe to internal host
Use error difference: "connection refused" vs "timeout"
for port in 22 80 443 8080; do
time python3 -c "
import httpx
try:
httpx.get('http://169.254.169.254:${port}/', timeout=2)
except Exception as e:
print(f'Port ${port}: {type(e).<strong>name</strong>}')
"
done
Exploit:
Attacker registers domain `attacker.com` with DNS A record `1.2.3.4` (public). In langchain application, user provides image URL http://attacker.com/fake.jpg`. `validate_safe_url()` resolves to `1.2.3.4` – allowed. Immediately beforehttpx.get(), attacker changes DNS A record to127.0.0.1. The fetch connects to localhost. If an internal service (e.g., Redis, memcached, metadata API) responds with data that Pillow attempts to parse as image, timing/errors leak existence. Example blind probe: fetchhttp://169.254.169.254/latest/meta-data/` – connection succeeds but Pillow raises `UnidentifiedImageError` – attacker infers metadata service is reachable.
Protection from this CVE:
- Upgrade to `langchain-openai >= 1.1.14` and
langchain-core >= 1.2.31. - Apply workaround: override `_url_to_size()` with custom SSRF-safe fetch using pinned DNS and connection (e.g.,
SSRFSafeSyncTransport). - Network-level: egress filtering to block outbound requests to private IP ranges from application pods/servers.
- Use a forward proxy that enforces DNS resolution once and rejects rebinding (e.g., dnsmasq with
--stop-dns-rebind).
Impact:
- Blind SSRF probing – attacker can map internal network, detect open ports, and identify running services (e.g., cloud metadata, internal APIs, databases) based on error codes and response times.
- No data exfiltration – response body never returned to caller.
- No remote code execution or direct data leak.
- Risk elevated in environments where internal services return image-like binary data (uncommon) – then dimension extraction might succeed and token count could differ, but still no content leakage.
- Overall impact limited to information disclosure of service presence (similar to port scanning).
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

