CVE-2025-2828

Name of the Vulnerable Software and Affected Versions: langchain-ai/langchain version 0.0.27

Description: A Server-Side Request Forgery (SSRF) vulnerability exists in the RequestsToolkit component of the langchain-community package. This vulnerability occurs because the toolkit does not enforce restrictions on requests to remote internet addresses, allowing it to also access local addresses. As a result, an attacker could exploit this flaw to perform port scans, access local services, retrieve instance metadata from cloud environments, and interact with servers on the local network.

Recommendations: Update to version 0.0.28 to resolve the issue. As a temporary workaround, consider restricting access to the RequestsToolkit component until the update is applied. Avoid using the RequestsToolkit to access local addresses until the issue is resolved.