Skip to content

chore(deps): update dependency langchain-openai to v1.1.14 [security]#404

Open
a-klos wants to merge 1 commit into
mainfrom
renovate/pypi-langchain-openai-vulnerability
Open

chore(deps): update dependency langchain-openai to v1.1.14 [security]#404
a-klos wants to merge 1 commit into
mainfrom
renovate/pypi-langchain-openai-vulnerability

Conversation

@a-klos
Copy link
Copy Markdown
Member

@a-klos a-klos commented Jun 7, 2026

This PR contains the following updates:

Package Change Age Confidence
langchain-openai (changelog) 1.1.8 -> 1.1.14 age confidence

GitHub Vulnerability Alerts

CVE-2026-41488

Summary

langchain-openai's _url_to_size() helper (used by get_num_tokens_from_messages for image token counting) validated URLs for SSRF protection and then fetched them in a separate network operation with independent DNS resolution. This left a TOCTOU / DNS rebinding window: an attacker-controlled hostname could resolve to a public IP during validation and then to a private/localhost IP during the actual fetch.

The practical impact is limited because the fetched response body is passed directly to Pillow's Image.open() to extract dimensions — the response content is never returned, logged, or otherwise exposed to the caller. An attacker cannot exfiltrate data from internal services through this path. A potential risk is blind probing (inferring whether an internal host/port is open based on timing or error behavior).

Affected versions

  • langchain-openai < 1.1.14

Patched versions

  • langchain-openai >= 1.1.14 (requires langchain-core >= 1.2.31)

Affected code

File: libs/partners/openai/langchain_openai/chat_models/base.py_url_to_size()

The vulnerable pattern was a validate-then-fetch with separate DNS resolution:

validate_safe_url(image_source, allow_private=False, allow_http=True)

# ... separate network operation with independent DNS resolution ...
response = httpx.get(image_source, timeout=timeout)

Fix

The fix replaces the validate-then-fetch pattern with an SSRF-safe httpx transport (SSRFSafeSyncTransport from langchain-core) that:

  • Resolves DNS once and validates all returned IPs against a policy (private ranges, cloud metadata, localhost, k8s internal DNS)
  • Pins the connection to the validated IP, eliminating the DNS rebinding window
  • Disables redirect following to prevent redirect-based SSRF bypasses

This fix was released in langchain-openai 1.1.14.

Configuration

📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@a-klos a-klos added python Pull requests that update python code renovate labels Jun 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

python Pull requests that update python code renovate

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@a-klos @renovate-bot