Home > Vulnerability Database > CVE-2025-2828

Mend.io Vulnerability Database

CVE-2025-2828

Good to know:

Date: June 23, 2025

A Server-Side Request Forgery (SSRF) vulnerability exists in the RequestsToolkit component of the langchain-community package (specifically, langchain_community.agent_toolkits.openapi.toolkit.RequestsToolkit) in langchain-ai/langchain version 0.0.27. This vulnerability occurs because the toolkit does not enforce restrictions on requests to remote internet addresses, allowing it to also access local addresses. As a result, an attacker could exploit this flaw to perform port scans, access local services, retrieve instance metadata from cloud environments (e.g., Azure, AWS), and interact with servers on the local network. This issue has been fixed in version 0.0.28.

Severity Score

8.4

Related Resources (6)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-2828

Url: https://github.com/langchain-ai/langchain/commit/e188d4ecb085d4561a0be3c583d26aa9c2c3283f

Url: https://huntr.com/bounties/8f771040-7f34-420a-b96b-5b93d4a99afc

Url: https://github.com/pypa/advisory-database/tree/main/vulns/langchain-community/PYSEC-2025-70.yaml

Url: https://github.com/langchain-ai/langchain-community

Url: https://www.mend.io/vulnerability-database/CVE-2025-2828

Severity Score

8.4

Weakness Type (CWE)

Server-Side Request Forgery (SSRF)

CWE-918

Top Fix

Upgrade Version

Upgrade to version langchain-community - 0.0.28;langchain-community - 0.0.28;langchain-community - 0.0.28

Learn More

CVSS v3.1

Base Score:	8.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-2828

Good to know:

Date: June 23, 2025

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?