CVE-2026-27795: The Chain Breaker: Bypassing LangChain's SSRF Guards

The Chain Breaker: Bypassing LangChain's SSRF Guards Vulnerability ID: CVE-2026-27795 CVSS Score: 4.1 Published: 2026-02-25 A sophisticated Server-Side Request Forgery (SSRF) bypass was discovered in the @langchain/community package, specifically within the RecursiveUrlLoader . Despite previous attempts to secure this component against internal network scanning, the implementation failed to handle HTTP redirects manually. This allowed attackers to supply a benign, validated URL that subsequently redirected the server's HTTP client to sensitive internal resources (like AWS Metadata services or local admin panels), completely bypassing the initial security checks. This vulnerability highlights the classic 'Check-Then-Act' race condition in web security. TL;DR LangChain's URL loader checked if a URL was safe before fetching it, but let the fetch client automatically follow redirects to unsafe places. Attackers could use a 'safe' URL that redirects to 169.254.169.254 to steal cloud credent