Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
🐍 PyPI

GHSA-2g6r-c272-w58r

LOW

LangChain affected by SSRF via image_url token counting in ChatOpenAI.get_num_tokens_from_messages

Also known asCVE-2026-26013
Published
Feb 11, 2026
Updated
Feb 11, 2026
Affected
1 pkg
Patched
1 / 1
Exploits
None indexed

EPSS Exploitation Probability

via FIRST.org ↗
0.4%probability of exploitation in next 30 days
Lower Risk30th percentile+0.36%
0.00%0.29%0.59%0.88%0.0%0.0%0.0%0.0%0.4%Mar 26May 26Jun 26

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

1 pkg affected
🐍langchain-core

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects PyPI packages — download data is not available via public APIs for these ecosystems.

Description

Server-Side Request Forgery (SSRF) in ChatOpenAI Image Token Counting

Summary

The ChatOpenAI.get_num_tokens_from_messages() method fetches arbitrary image_url values without validation when computing token counts for vision-enabled models. This allows attackers to trigger Server-Side Request Forgery (SSRF) attacks by providing malicious image URLs in user input.

Severity

Low - The vulnerability allows SSRF attacks but has limited impact due to:

  • Responses are not returned to the attacker (blind SSRF)
  • Default 5-second timeout limits resource exhaustion
  • Non-image responses fail at PIL image parsing

Impact

An attacker who can control image URLs passed to get_num_tokens_from_messages() can:

  • Trigger HTTP requests from the application server to arbitrary internal or external URLs
  • Cause the server to access internal network resources (private IPs, cloud metadata endpoints)
  • Cause minor resource consumption through image downloads (bounded by timeout)

Note: This vulnerability occurs during token counting, which may happen outside of model invocation (e.g., in logging, metrics, or token budgeting flows).

Details

The vulnerable code path:

  1. get_num_tokens_from_messages() processes messages containing image_url content blocks
  2. For images without detail: "low", it calls _url_to_size() to fetch the image and compute token counts
  3. _url_to_size() performs httpx.get(image_source) on any URL without validation
  4. Prior to the patch, there was no SSRF protection, size limits, or explicit timeout

File: libs/partners/openai/langchain_openai/chat_models/base.py

Patches

The vulnerability has been patched in langchain-openai==1.1.9 (requires langchain-core==1.2.11).

The patch adds:

  1. SSRF validation using langchain_core._security._ssrf_protection.validate_safe_url() to block:
    • Private IP ranges (RFC 1918, loopback, link-local)
    • Cloud metadata endpoints (169.254.169.254, etc.)
    • Invalid URL schemes
  2. Explicit size limits (50 MB maximum, matching OpenAI's payload limit)
  3. Explicit timeout (5 seconds, same as httpx.get default)
  4. Allow disabling image fetching via allow_fetching_images=False parameter

Workarounds

If you cannot upgrade immediately:

  1. Sanitize input: Validate and filter image_url values before passing messages to token counting or model invocation
  2. Use network controls: Implement egress filtering to prevent outbound requests to private IPs

Affected Packages

1 total 1 fixed
EcosystemPackageVulnerable rangeFix
🐍PyPIlangchain-coreall versions1.2.11

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for langchain-core. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update langchain-core to 1.2.11 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-2g6r-c272-w58r is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-2g6r-c272-w58r is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-2g6r-c272-w58r. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

## Server-Side Request Forgery (SSRF) in ChatOpenAI Image Token Counting ### Summary The `ChatOpenAI.get_num_tokens_from_messages()` method fetches arbitrary `image_url` values without validation when computing token counts for vision-enabled models. This allows attackers to trigger Server-Side Request Forgery (SSRF) attacks by providing malicious image URLs in user input. ### Severity **Low** - The vulnerability allows SSRF attacks but has limited impact due to: - Responses are not returned to the attacker (blind SSRF) - Default 5-second timeout limits resource exhaustion - Non-image respon
O3 Security · Impact-Aware SCA

Is GHSA-2g6r-c272-w58r in your dependencies?

O3 detects GHSA-2g6r-c272-w58r across PyPI dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works