CVE-2023-46229

Description

LangChain before 0.0.317 allows SSRF via document_loaders/recursive_url_loader.py because crawling can proceed from an external server to an internal server.

How to fix CVE-2023-46229

To remediate CVE-2023-46229, upgrade the affected package to a fixed version below.

• PyPI/langchain—upgrade to 0.0.317 or later
• PyPI/langchain—upgrade to 9ecb7240a480720ec9d739b3877a52f76098a2b8 or later

Is CVE-2023-46229 being exploited?

Low — EPSS is 1.8%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• from 0, < 0.0.317
• from 0, < 9ecb7240a480720ec9d739b3877a52f76098a2b8 | from 0, < 0.0.317

CVSS scores

References (6)

• ADVISORYgithub.com/advisories/GHSA-655w-fm8m-m478
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-46229
• PATCHgithub.com/langchain-ai/langchain
• WEBgithub.com/langchain-ai/langchain/commit/9ecb7240a480720ec9d739b3877a52f76098a2b8