LangChain is a framework designed for building applications powered by large language models (LLMs). Within langchainjs, the RecursiveUrlLoader class functions as a web crawler that recursively follows hyperlinks starting from a given URL. To prevent the crawler from traversing outside the intended domain, the preventOutside option is enabled by default. However, the implementation of this restriction relies on a simplistic string prefix check using String.startsWith(), which does not perform proper semantic URL validation. This allows an attacker who can control content on a page being crawled to insert links that share a string prefix with the target domain but actually resolve to different domains, including attacker-controlled domains or internal infrastructure. Moreover, the crawler lacks validation against private IP ranges, localhost addresses, and cloud metadata service endpoints. Consequently, the crawler may inadvertently fetch sensitive internal resources such as cloud instance metadata or internal network services. This SSRF vulnerability could be exploited to access internal resources, leak sensitive information, or facilitate further attacks within an organization's network. The vulnerability affects all langchainjs versions prior to 1.1.14 and was assigned CVE-2026-26019 with a CVSS v3.1 score of 4.1, indicating medium severity. Exploitation requires low privileges and user interaction, and the scope is limited to applications using the vulnerable RecursiveUrlLoader with the preventOutside option enabled. The issue has been resolved in version 1.1.14 by improving URL validation and restricting access to private IP ranges.

Organizations using langchainjs versions prior to 1.1.14 that employ the RecursiveUrlLoader with the preventOutside option enabled are at risk of SSRF attacks. An attacker able to inject or control content on a crawled page can manipulate the crawler to access unintended external or internal resources. This can lead to unauthorized access to internal services, including cloud metadata endpoints that may expose credentials or configuration data. While the CVSS score is medium, the impact on confidentiality can be significant if sensitive internal resources are exposed. Integrity and availability impacts are minimal as the vulnerability primarily enables information disclosure. The exploitation requires some user interaction and low privileges, limiting the attack surface. However, organizations relying on langchainjs for web crawling or data ingestion should consider this a serious risk, especially if deployed in environments with sensitive internal infrastructure or cloud services. The lack of known exploits in the wild reduces immediate risk but does not preclude future exploitation attempts.

Upgrade langchainjs to version 1.1.14 or later, where the vulnerability is fixed with proper semantic URL validation and restrictions on private IP addresses. If upgrading is not immediately possible, implement strict network-level controls to prevent the application from accessing internal IP ranges, localhost addresses, and cloud metadata service endpoints. Employ web application firewalls (WAFs) or proxy filtering to block suspicious outbound requests initiated by the crawler. Review and sanitize all content that the crawler processes to minimize the risk of attacker-controlled links. Additionally, configure the crawler to disable or limit recursive crawling where feasible, and monitor logs for unusual outbound requests to internal or unexpected destinations. Conduct regular security assessments on applications using langchainjs to detect potential SSRF exploitation attempts.