PT-2026-35320 · Pypi · Langchain-Openai

Published

2026-04-16

·

Updated

2026-04-16

CVSS v3.1

3.1

Low

VectorAV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

Summary

langchain-openai's url to size() helper (used by get num tokens from messages for image token counting) validated URLs for SSRF protection and then fetched them in a separate network operation with independent DNS resolution. This left a TOCTOU / DNS rebinding window: an attacker-controlled hostname could resolve to a public IP during validation and then to a private/localhost IP during the actual fetch.
The practical impact is limited because the fetched response body is passed directly to Pillow's Image.open() to extract dimensions — the response content is never returned, logged, or otherwise exposed to the caller. An attacker cannot exfiltrate data from internal services through this path. A potential risk is blind probing (inferring whether an internal host/port is open based on timing or error behavior).

Affected versions

  • langchain-openai < 1.1.14

Patched versions

  • langchain-openai >= 1.1.14 (requires langchain-core >= 1.2.31)

Affected code

File: libs/partners/openai/langchain openai/chat models/base.py url to size()
The vulnerable pattern was a validate-then-fetch with separate DNS resolution:
python
validate safe url(image source, allow private=False, allow http=True)
# ... separate network operation with independent DNS resolution ...
response = httpx.get(image source, timeout=timeout)

Fix

The fix replaces the validate-then-fetch pattern with an SSRF-safe httpx transport (SSRFSafeSyncTransport from langchain-core) that:
  • Resolves DNS once and validates all returned IPs against a policy (private ranges, cloud metadata, localhost, k8s internal DNS)
  • Pins the connection to the validated IP, eliminating the DNS rebinding window
  • Disables redirect following to prevent redirect-based SSRF bypasses
This fix was released in langchain-openai 1.1.14.

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-918

Related Identifiers

GHSA-R7W7-9XR2-QQ2R

Affected Products

Langchain-Openai