8.4

CVSS Score

3.0

Basic Information

CVE ID

CVE-2025-2828

GHSA ID

GHSA-h5gc-rm8j-5gpr

EPSS Score

0.10642%

CWE

CWE-918

Published

6/23/2025

Updated

6/25/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-2828

CVE-2025-2828:
LangChain Community SSRF vulnerability exists in RequestsToolkit component

A Server-Side Request Forgery (SSRF) vulnerability exists in the RequestsToolkit component of the langchain-community package (specifically, langchain_community.agent_toolkits.openapi.toolkit.RequestsToolkit) in langchain-ai/langchain version 0.0.27. This vulnerability occurs because the toolkit does not enforce restrictions on requests to remote internet addresses, allowing it to also access local addresses. As a result, an attacker could exploit this flaw to perform port scans, access local services, retrieve instance metadata from cloud environments (e.g., Azure, AWS), and interact with servers on the local network. This issue has been fixed in version 0.0.28.

(GitHub Advisory)

8.4

CVSS Score

3.0

Basic Information

CVE ID

CVE-2025-2828

GHSA ID

GHSA-h5gc-rm8j-5gpr

EPSS Score

0.10642%

CWE

CWE-918

Published

6/23/2025

Updated

6/25/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
langchain-community	pip	< 0.0.27	0.0.28

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The root cause of the vulnerability is a Server-Side Request Forgery (SSRF) in the RequestsToolkit component of the langchain-community package. The request-making tools (RequestsGetTool, RequestsPostTool, etc.) did not have any restrictions on the URLs they could be instructed to access. This allowed an attacker to potentially scan internal networks, access local services, or query cloud metadata endpoints.

The vulnerability was not in a single line of code but rather in the design of how these powerful tools were provided to the end-developer. They were insecure by default. The investigation of the patch e188d4ecb085d4561a0be3c583d26aa9c2c3283f reveals that the fix was to introduce a mandatory opt-in mechanism.

A check was added to the __init__ method of BaseRequestsTool, the parent class for all request tools. This check ensures that a developer must explicitly pass allow_dangerous_requests=True to instantiate any of these tools, preventing accidental insecure use.
Factory functions like RequestsToolkit.get_tools and the high-level load_tools function were modified to propagate this new security flag. Before the patch, these functions would create and return the request tools in their default, vulnerable state.

Therefore, the vulnerable functions are the ones responsible for creating and providing these insecurely configured tools to the end-user, as they were the entry points for introducing the SSRF risk into an application.

Vulnerable functions

langchain_community.tools.requests.tool.BaseRequestsTool.__init__

libs/community/langchain_community/tools/requests/tool.py

The constructors for all request tools (which inherit from BaseRequestsTool, e.g., RequestsGetTool, RequestsPostTool) were vulnerable. They allowed the creation of tool instances without any SSRF protection mechanism, enabling subsequent calls to their `run` method to target internal network addresses. The vulnerability lies in the absence of the check that was added in the patch. The patch introduces a mandatory `allow_dangerous_requests=True` flag that must be provided during instantiation, thus preventing the inadvertent use of these tools for malicious purposes.

langchain_community.agent_toolkits.openapi.toolkit.RequestsToolkit.get_tools

libs/community/langchain_community/agent_toolkits/openapi/toolkit.py

This function acts as a factory, creating and returning a list of request-making tools. Prior to the patch, it instantiated these tools in their default, insecure configuration which lacked SSRF protection. An attacker could abuse this to make the server issue requests to internal network resources. The fix involves passing the `allow_dangerous_requests` parameter during tool creation, which is then validated by the tool's constructor.

langchain.agents.load_tools.load_tools

libs/langchain/langchain/agents/load_tools.py

This is a high-level utility function for loading tools by name. Before the patch, it would load the powerful `requests_*` tools without requiring any explicit user consent or warning about the potential security risks. This made it easy for developers to unknowingly introduce an SSRF vulnerability into their applications. The patch introduces the `allow_dangerous_tools` flag as a security control to force an opt-in.

WAF Protection Rules

WAF Rule

* S*rv*r-Si** R*qu*st *or**ry (SSR*) vuln*r**ility *xists in t** R*qu*stsToolkit *ompon*nt o* t** l*n****in-*ommunity p**k*** (sp**i*i**lly, l*n****in_*ommunity.***nt_toolkits.op*n*pi.toolkit.R*qu*stsToolkit) in l*n****in-*i/l*n****in v*rsion *.*.**.

Reasoning

T** root **us* o* t** vuln*r**ility is * S*rv*r-Si** R*qu*st *or**ry (SSR*) in t** `R*qu*stsToolkit` *ompon*nt o* t** `l*n****in-*ommunity` p**k***. T** r*qu*st-m*kin* tools (`R*qu*sts**tTool`, `R*qu*stsPostTool`, *t*.) *i* not **v* *ny r*stri*tions

8.4

Basic Information

Concerned about an active attack path?

CVE-2025-2828: LangChain Community SSRF vulnerability exists in RequestsToolkit component

8.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-2828:
LangChain Community SSRF vulnerability exists in RequestsToolkit component

Vulnerability Intelligence
Miggo AI