CVE-2025-2828 – This Server-Side Request Forgery (SSRF) vulnera... (How to Fix)

📋 TL;DR

This Server-Side Request Forgery (SSRF) vulnerability in langchain-community's RequestsToolkit allows attackers to make unauthorized requests to internal network resources. It affects users of langchain-ai/langchain version 0.0.27 who use the RequestsToolkit component. Attackers can access local services, cloud metadata, and perform network reconnaissance.

💻 Affected Systems

Products:

langchain-ai/langchain

Versions: 0.0.27

Operating Systems: all

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using langchain_community.agent_toolkits.openapi.toolkit.RequestsToolkit component

📦 What is this software?

Langchain by Langchain

View all CVEs affecting Langchain →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of cloud instance metadata leading to privilege escalation, access to sensitive internal services, and lateral movement within the network.

🟠

Likely Case

Exfiltration of cloud metadata credentials, port scanning of internal networks, and unauthorized access to internal APIs/services.

🟢

If Mitigated

Limited to external resource access only, preventing internal network enumeration and metadata access.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to the vulnerable component but is straightforward once access is obtained

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.0.28

Vendor Advisory: https://github.com/langchain-ai/langchain/commit/e188d4ecb085d4561a0be3c583d26aa9c2c3283f

Restart Required: No

Instructions:

1. Update langchain package: pip install --upgrade langchain==0.0.28
2. Verify the update: pip show langchain
3. Restart any running applications using the package

🔧 Temporary Workarounds

Network-level restrictions

all

Implement network segmentation and firewall rules to block outbound requests from the vulnerable system to internal networks and cloud metadata endpoints

Disable RequestsToolkit

all

Remove or disable the vulnerable RequestsToolkit component if not required

🧯 If You Can't Patch

Implement strict network egress filtering to block access to internal IP ranges (RFC1918) and cloud metadata endpoints (169.254.169.254, 169.254.170.2)
Use application-level request validation to whitelist allowed domains and block local/internal addresses

🔍 How to Verify

Check if Vulnerable:

Check if langchain version 0.0.27 is installed and if RequestsToolkit is being used in the application

Check Version:

pip show langchain | grep Version

Verify Fix Applied:

Verify langchain version is 0.0.28 or higher and test that internal network requests are blocked

📡 Detection & Monitoring

Log Indicators:

Unusual outbound HTTP requests to internal IP addresses
Requests to cloud metadata endpoints from application servers
Port scanning patterns from application processes

Network Indicators:

HTTP requests from application servers to 169.254.169.254, 169.254.170.2, or RFC1918 addresses
Multiple rapid connection attempts to different internal ports

SIEM Query:

source="application_logs" AND (dest_ip=169.254.169.254 OR dest_ip=169.254.170.2 OR dest_ip IN [10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16])

📊 Metadata

CVE ID: CVE-2025-2828

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-918

EPSS Score: 0.03% exploit probability (6.4th percentile)

Published: June 23, 2025

Last Updated: July 16, 2025

🔗 References

https://github.com/langchain-ai/langchain/commit/e188d4ecb085d4561a0be3c583d26aa9c2c3283f Patch
https://huntr.com/bounties/8f771040-7f34-420a-b96b-5b93d4a99afc Exploit,Third Party Advisory
https://huntr.com/bounties/8f771040-7f34-420a-b96b-5b93d4a99afc Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-2828, you might also want to check these: