chore(deps): update dependency @langchain/community to v1.1.18 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@langchain/community (source)	1.1.5 → 1.1.18

GitHub Vulnerability Alerts

CVE-2026-26019

Description

The RecursiveUrlLoader class in @langchain/community is a web crawler that recursively follows links from a starting URL. Its preventOutside option (enabled by default) is intended to restrict crawling to the same site as the base URL.

The implementation used String.startsWith() to compare URLs, which does not perform semantic URL validation. An attacker who controls content on a crawled page could include links to domains that share a string prefix with the target (e.g., https://example.com.attacker.com passes a startsWith check against https://example.com), causing the crawler to follow links to attacker-controlled or internal infrastructure.

Additionally, the crawler performed no validation against private or reserved IP addresses. A crawled page could include links targeting cloud metadata services (169.254.169.254), localhost, or RFC 1918 addresses, and the crawler would fetch them without restriction.

Impact

An attacker who can influence the content of a page being crawled (e.g., by placing a link on a public-facing page, forum, or user-generated content) could cause the crawler to:

• Fetch cloud instance metadata (AWS, GCP, Azure), potentially exposing IAM credentials and session tokens
• Access internal services on private networks (10.x, 172.16.x, 192.168.x)
• Connect to localhost services
• Exfiltrate response data via attacker-controlled redirect chains

This is exploitable in any environment where RecursiveUrlLoader runs on infrastructure with access to cloud metadata or internal services — which includes most cloud-hosted deployments.

Resolution

Two changes were made:

1. Origin comparison replaced. The startsWith check was replaced with a strict origin comparison using the URL API (new URL(link).origin === new URL(baseUrl).origin). This correctly validates scheme, hostname, and port as a unit, preventing subdomain-based bypasses.

2. SSRF validation added to all fetch operations. A new URL validation module (@langchain/core/utils/ssrf) was introduced and applied before every outbound fetch in the crawler. This blocks requests to:

   • Cloud metadata endpoints: 169.254.169.254, 169.254.170.2, 100.100.100.200, metadata.google.internal, and related hostnames
   • Private IP ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8, 169.254.0.0/16
   • IPv6 equivalents: ::1, fc00::/7, fe80::/10
   • Non-HTTP/HTTPS schemes (file:, ftp:, javascript:, etc.)

Cloud metadata endpoints are unconditionally blocked and cannot be overridden.

Workarounds

Users who cannot upgrade immediately should avoid using RecursiveUrlLoader on untrusted or user-influenced content, or should run the crawler in a network environment without access to cloud metadata or internal services.

CVE-2026-27795

Summary

A redirect-based Server-Side Request Forgery (SSRF) bypass exists in RecursiveUrlLoader in @langchain/community. The loader validates the initial URL but allows the underlying fetch to follow redirects automatically, which permits a transition from a safe public URL to an internal or metadata endpoint without revalidation. This is a bypass of the SSRF protections introduced in 1.1.14 (CVE-2026-26019).

Affected Component

• Package: @langchain/community
• Component: RecursiveUrlLoader
• Configuration: preventOutside (default: true) is insufficient to prevent this bypass when redirects are followed automatically.

Description

RecursiveUrlLoader is a web crawler that recursively follows links from a starting URL. The existing SSRF mitigation validates the initial URL before fetching, but it does not re-validate when the request follows redirects. Because fetch follows redirects by default, an attacker can supply a public URL that passes validation and then redirects to a private network address, localhost, or cloud metadata endpoint.

This constitutes a “check‑then‑act” gap in the request lifecycle: the safety check occurs before the redirect chain is resolved, and the final destination is never validated.

Impact

If an attacker can influence content on a page being crawled (e.g., user‑generated content, untrusted external pages), they can cause the crawler to:

• Fetch cloud instance metadata (AWS, GCP, Azure), potentially exposing credentials or tokens
• Access internal services on private networks (10.x, 172.16.x, 192.168.x)
• Connect to localhost services
• Exfiltrate response data through attacker-controlled redirect chains

This is exploitable in any environment where RecursiveUrlLoader runs with access to internal networks or metadata services, which includes most cloud-hosted deployments.

Attack Scenario

1. The crawler is pointed at a public URL that passes initial SSRF validation.
2. That URL responds with a 3xx redirect to an internal target.
3. The fetch follows the redirect automatically without revalidation.
4. The crawler accesses the internal or metadata endpoint.

Example redirector:

https://302.r3dir.me/--to/?url=http://169.254.169.254/latest/meta-data/

Root Cause

• SSRF validation (validateSafeUrl) is only performed on the initial URL.
• Redirects are followed automatically by fetch (redirect: "follow" default), so the request can change destinations without additional validation.

Resolution

Upgrade to @langchain/community >= 1.1.18, which validates every redirect hop by disabling automatic redirects and re-validating Location targets before following them.

• Automatic redirects are disabled (redirect: "manual").
• Each 3xx Location is resolved and validated with validateSafeUrl() before the next request.
• A maximum redirect limit prevents infinite loops.

Reources

• Original SSRF fix (CVE-2026-26019): enforced origin comparison and added initial URL validation
• GHSA-gf3v-fwqg-4vh7

---

Release Notes

langchain-ai/langchainjs (@​langchain/community)

v1.1.18

Patch Changes

• #​9900 a9b5059 Thanks @​hntrl! - fix(core): update method signatures to use Partial<CallOptions> for options parameters

  Updated invoke, stream, generate, and generatePrompt method signatures across Runnable, BaseChatModel, and BaseLLM to correctly accept Partial<CallOptions> instead of full CallOptions. This aligns the implementation with the RunnableInterface specification and allows users to pass partial options (e.g., { signal: abortedSignal }) without TypeScript errors.

• #​9900 a9b5059 Thanks @​hntrl! - Improved abort signal handling for chat models:

  • Added ModelAbortError class in @langchain/core/errors that contains partial output when a model invocation is aborted mid-stream
  • invoke() now throws ModelAbortError with accumulated partialOutput when aborted during streaming (when using streaming callback handlers)
  • stream() throws a regular AbortError when aborted (since chunks are already yielded to the caller)
  • All provider implementations now properly check and propagate abort signals in both _generate() and _streamResponseChunks() methods
  • Added standard tests for abort signal behavior

v1.1.16

Patch Changes

• #​9830 70387a1 Thanks @​bracesproul! - fix: More undefined null errors and tests

• #​9679 a7c6ec5 Thanks @​christian-bromann! - feat(openai): elevate OpenAI image generation outputs to proper image content blocks

• #​9817 5e04543 Thanks @​Ashx098! - read error.status when response.status is absent to avoid retrying OpenAI SDK 4xx

• #​9819 40b4467 Thanks @​MrDockal! - Tool call content returns compacted json

• #​9815 17e30bd Thanks @​hntrl! - fix(core): respect tracingEnabled=false from RunTree when env tracing is enabled

v1.1.15

Patch Changes

• #​9781 230462d Thanks @​christian-bromann! - fix(core): preserve index and timestamp fields in _mergeDicts

v1.1.14

Patch Changes

• #​9990 d5e3db0 Thanks @​hntrl! - feat(core): Add SSRF protection module (@langchain/core/utils/ssrf) with utilities for validating URLs against private IPs, cloud metadata endpoints, and localhost.

  fix(community): Harden RecursiveUrlLoader against SSRF attacks by integrating validateSafeUrl and replacing string-based URL comparison with origin-based isSameOrigin from the shared SSRF module.

• Updated dependencies [d5e3db0, 6939dab, ad581c7]:

  • @​langchain/core@​1.1.21
  • @​langchain/openai@​1.2.7
  • @​langchain/classic@​1.0.17

v1.1.13

Patch Changes

• #​9777 3efe79c Thanks @​christian-bromann! - fix(core): properly elevate reasoning tokens

• #​9789 b8561c1 Thanks @​hntrl! - source JsonOutputParser content from text accessor

v1.1.12

Compare Source

Patch Changes

• #​9517 23be5af Thanks @​christian-bromann! - fix(@​langchain/core): add literal name type inference to tool()

v1.1.11

Compare Source

Patch Changes

• #​9753 a46a249 Thanks @​christian-bromann! - fix(core): allow shared object references in serialization

v1.1.10

Compare Source

Patch Changes

• #​9746 817fc9a Thanks @​bracesproul! - fix: _mergeDicts error when merging undefined values

v1.1.9

Compare Source

Patch Changes

• #​9725 56600b9 Thanks @​Orenoid! - fix(langchain): update merge logic for numeric values in mergeDicts

• #​9736 dc5c2ac Thanks @​hntrl! - fix(core): handle circular references in load

• #​9739 c28d24a Thanks @​christian-bromann! - fix(core): use getBufferString for message summarization

• #​9702 bfcb87d Thanks @​christian-bromann! - fix(core): improve interop with Zod

v1.1.8

Patch Changes

• #​9707 e5063f9 Thanks @​hntrl! - add security hardening for load

• #​9684 8996647 Thanks @​christian-bromann! - fix(core): document purpose of name in base message

v1.1.6

Compare Source

Patch Changes

• #​9835 adb3625 Thanks @​maahir30! - Use UTF-8 byte length for metadata fields

• Updated dependencies []:

  • @​langchain/classic@​1.0.10

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
charites-ai	Ready	Preview, Comment	Feb 25, 2026 11:24pm

[cloudflare-workers-and-pages]

Deploying charites-ai with    Cloudflare Pages

Latest commit:	8f74733
Status:	✅  Deploy successful!
Preview URL:	https://0b5b075e.charites-ai.pages.dev
Branch Preview URL:	https://renovate-npm-langchain-commu.charites-ai.pages.dev

View logs

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.