Medium

langchain

SSRF Vulnerability

A Server-Side Request Forgery (SSRF) vulnerability was identified in the Web Research Retriever component of the langchain-ai/langchain project, specifically version 0.1.5. This vulnerability allows attackers to perform port scans, access local services, and potentially read instance metadata from cloud environments. The issue was not explicitly stated to be patched in the provided report.

Available publicly on May 02 2024

4.8

CVE:

CVE-2024-3095

CWE:

918:Server-Side Request Forgery (SSRF)

CVSS:

CVSS:3.1/AV:P/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

Credit:

ehtec
AssessDetect

Premium

Remediate
Remediation Steps
  • Ensure the Web Research Retriever is updated to a version where this vulnerability is patched.
  • As a temporary measure, configure the retriever to use a proxy that segregates it from sensitive internal or cloud environments.
  • Review and restrict the retriever's network access permissions to minimize potential exposure.
  • Monitor network activity for unusual patterns that may indicate exploitation attempts.
Patch Details
  • Fixed Version: N/A
  • Patch Commit: N/A
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.