chore(deps): update dependency langchain-core to v1 [security]

[renovate-bot]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
langchain-core (source, changelog)	>=0.1.1, <1.0.0 → >=1.2.11, <1.2.12
langchain-core (source, changelog)	==0.3.81 → ==1.2.11

GitHub Vulnerability Alerts

CVE-2026-26013

Server-Side Request Forgery (SSRF) in ChatOpenAI Image Token Counting

Summary

The ChatOpenAI.get_num_tokens_from_messages() method fetches arbitrary image_url values without validation when computing token counts for vision-enabled models. This allows attackers to trigger Server-Side Request Forgery (SSRF) attacks by providing malicious image URLs in user input.

Severity

Low - The vulnerability allows SSRF attacks but has limited impact due to:

• Responses are not returned to the attacker (blind SSRF)
• Default 5-second timeout limits resource exhaustion
• Non-image responses fail at PIL image parsing

Impact

An attacker who can control image URLs passed to get_num_tokens_from_messages() can:

• Trigger HTTP requests from the application server to arbitrary internal or external URLs
• Cause the server to access internal network resources (private IPs, cloud metadata endpoints)
• Cause minor resource consumption through image downloads (bounded by timeout)

Note: This vulnerability occurs during token counting, which may happen outside of model invocation (e.g., in logging, metrics, or token budgeting flows).

Details

The vulnerable code path:

1. get_num_tokens_from_messages() processes messages containing image_url content blocks
2. For images without detail: "low", it calls _url_to_size() to fetch the image and compute token counts
3. _url_to_size() performs httpx.get(image_source) on any URL without validation
4. Prior to the patch, there was no SSRF protection, size limits, or explicit timeout

File: libs/partners/openai/langchain_openai/chat_models/base.py

Patches

The vulnerability has been patched in langchain-openai==1.1.9 (requires langchain-core==1.2.11).

The patch adds:

1. SSRF validation using langchain_core._security._ssrf_protection.validate_safe_url() to block:
   • Private IP ranges (RFC 1918, loopback, link-local)
   • Cloud metadata endpoints (169.254.169.254, etc.)
   • Invalid URL schemes
2. Explicit size limits (50 MB maximum, matching OpenAI's payload limit)
3. Explicit timeout (5 seconds, same as httpx.get default)
4. Allow disabling image fetching via allow_fetching_images=False parameter

Workarounds

If you cannot upgrade immediately:

1. Sanitize input: Validate and filter image_url values before passing messages to token counting or model invocation
2. Use network controls: Implement egress filtering to prevent outbound requests to private IPs

---

Release Notes

langchain-ai/langchain (langchain-core)

v0.1.16

Compare Source

What's Changed

• openai[patch]: Release 0.1.2 by @​baskaryan in #​20241
• docs: fix external repo partner docs by @​efriis in #​20238
• groq[patch]: Release 0.1.1 by @​baskaryan in #​20242
• experimental[patch]: Release 0.0.57 by @​baskaryan in #​20243
• groq: xfail tool_choice tests by @​efriis in #​20247
• [core]: add tool calls message by @​baskaryan in #​18947
• core[patch]: Pre-release 0.1.42-rc.1 by @​baskaryan in #​20248
• openai[patch]: pre-release 0.1.3-rc.1 by @​baskaryan in #​20249
• anthropic[patch]: Pre-release 0.1.8-rc.1 by @​baskaryan in #​20250
• mistralai[patch]: Pre-release 0.1.2-rc.1 by @​baskaryan in #​20251
• infra, multiple: rc release versions by @​efriis in #​20252
• update agents to use tool call messages by @​ccurme in #​20074
• openai[patch]: Fix langchain-openai unknown parameter error with gpt-4-turbo by @​os1ma in #​20271
• community: import flattening fix by @​leo-gan in #​20110
• core: mustache prompt templates by @​nfcampos in #​19980
• docs: update tool calling cookbook by @​ccurme in #​20290
• core[patch]: fix duplicated kwargs in _load_sql_databse_chain by @​B-Step62 in #​19908
• partners: Add chroma partner package by @​killind-dev in #​19292
• chroma: add optional fastapi dep to restrict to <1 by @​efriis in #​20295
• chroma: add required fastapi dep to restrict to <1 by @​efriis in #​20297
• chroma: bump rc, keep optional by @​efriis in #​20298
• core[patch]: include tool_calls in ai msg chunk serialization by @​baskaryan in #​20291
• core[patch]: fix ChatGeneration.text with content blocks by @​baskaryan in #​20294
• langchain[patch]: agents check prompt partial vars by @​baskaryan in #​20303
• openai[patch]: use tool_calls in request by @​baskaryan in #​20272
• docs: added backtick on RunnablePassthrough by @​spike-spiegel-21 in #​20310
• core[patch]: For now remove user warning by @​eyurtsev in #​20321
• community[patch]: Add deprecation warnings to postgres implementation by @​eyurtsev in #​20222
• mistral: add IDs to tool calls by @​ccurme in #​20299
• core[patch]: Release 0.1.42 by @​baskaryan in #​20332
• release anthropic, fireworks, openai, groq, mistral by @​baskaryan in #​20333
• docs: Update documentation for custom LLMs by @​eyurtsev in #​19972
• Testing list of tool calling providers by @​eyurtsev in #​20330
• langchain[patch]: Release 0.1.16 by @​baskaryan in #​20335
• docs: add component page for tool calls by @​ccurme in #​20282
• docs: add tool-calling agent by @​baskaryan in #​20328
• docs: update chat openai by @​baskaryan in #​20331

New Contributors

• @​killind-dev made their first contribution in #​19292

Full Changelog: langchain-ai/langchain@v0.1.15...v0.1.16

v0.1.15

Compare Source

What's Changed

• experimental[patch]: Release 0.0.56 by @​baskaryan in #​19840
• docs: remove unnecessary args from the pip install by @​cyai in #​19823
• Update cross_encoder_reranker.ipynb by @​eltociear in #​19846
• core: generate mermaid syntax and render visual graph by @​angeligareta in #​19599
• ai21[patch]: release 0.1.3 by @​efriis in #​19867
• 👥 Update LangChain people data by @​jacoblee93 in #​19858
• community[patch]: Revert " Fix the bug that Chroma does not specify `e… by @​baskaryan in #​19866
• openai[patch]: fix azure embedding length check by @​efriis in #​19870
• Partially Revert "openai[patch]: Update openai chat model to new base class interface" by @​nfcampos in #​19871
• ai21[patch]: fix core dep by @​efriis in #​19874
• community[patch]: Release 0.0.31 by @​baskaryan in #​19873
• community: Update ChatZhipuAI to support GLM-4 model by @​zhangch9 in #​16695
• openai[patch]: remove openai chunk size validation by @​efriis in #​19878
• Add OpenVINO rerank model support by @​OpenVINO-dev-contest in #​19791
• robocorp[patch]: Fix nested arguments descriptors and tool names by @​mkorpela in #​19707
• robocorp[patch]: fix core min version by @​efriis in #​19879
• community: Add Dria retriever by @​anilaltuner in #​17098
• docs[patch]: Revert quarto update by @​bracesproul in #​19880
• docs: Fix link in Unstructured notebook by @​northern-64bit in #​19851
• cli[minor]: Add version to integration package template by @​eyurtsev in #​19876
• langchain: Adding a new section aware splitter to langchain by @​msetbar in #​16526
• docs: Add docs for RunnableConfigurableFields by @​spike-spiegel-21 in #​19849
• feat(partners): support request timeout in BaseCohere by @​mspronesti in #​19641
• docs[patch]: Hide google from function calling docs by @​bracesproul in #​19887
• community: add Layerup Security integration by @​JamsheedMistri in #​19787
• Add remove_comments option (default True): do not extract html comments by @​petervandenabeele in #​13259
• core: Assign missing message ids in BaseChatModel by @​nfcampos in #​19863
• Core[major]: Base Tracer to propagate raw output from tool for on_tool_end by @​keenborder786 in #​18932
• core[patch]: Release 0.1.38 by @​baskaryan in #​19895
• langchain: fix ElasticsearchStore reference for self query by @​maxjakob in #​19907
• Cohere: Add multihop tool agent by @​harry-cohere in #​19919
• cohere[patch]: release 0.1.0 by @​efriis in #​19924
• cohere, docs: update imports and installs to langchain_cohere by @​billytrend-cohere in #​19918
• cohere: simplify integration test by @​harry-cohere in #​19928
• cohere: Improve integration test stability, fix documents bug by @​harry-cohere in #​19929
• docs: mention caveats with CacheBackedEmbeddings.embed_query by @​jokester in #​19926
• pinecone[patch]: source tag by @​efriis in #​19739
• core[patch]: remove requests by @​efriis in #​19891
• deprecating integrations moved to langchain_google_community by @​lkuligin in #​19841
• docs: update cohere documentation by @​sepiatone in #​19700
• core: BaseChatModel modify chat message before passing to run_manager by @​nfcampos in #​19939
• core[patch]: Release 0.1.39 by @​baskaryan in #​19940
• core: fix return of draw_mermaid_png and change to not save image by default by @​angeligareta in #​19950
• core[minor]: Add aload to document loader by @​eyurtsev in #​19936
• langchain-postgres: Initial package with postgres chat history implementation by @​eyurtsev in #​19884
• Support weight only quantization with intel-extension-for-transformers. by @​PenghuiCheng in #​14504
• comunity: Implement delete method and all async methods in opensearch_vector_search by @​2jimoo in #​17321
• Update metadata filtering examples of documents by @​tomasonjo in #​19963
• core: 0.1.40, fix try_load_from_hub for older langchain versions load_chain by @​efriis in #​19964
• docs: Custom Document Loaders by @​eyurtsev in #​19935
• cli[minor]: Add disable sockets in unit tests by @​eyurtsev in #​19877
• langchain_groq[feat]: Add tool calling support by @​gradenr in #​19971
• groq: release 0.1.0 by @​efriis in #​19975
• groq: fix core version by @​efriis in #​19976
• groq: handle streaming tool call case by @​efriis in #​19978
• Jacob/docs new by @​jacoblee93 in #​19765
• cohere: Add citations to agent, flexibility to tool parsing, fix SDK issue by @​harry-cohere in #​19965
• core[Patch]: mypy ignore fixes #​17048 by @​UtkarshaGupte in #​19931
• core[minor]: Add aformat to FewShotPromptTemplate by @​cbornet in #​19652
• core: support pydantic V2 for JSONOutputParser, allow for other sources of JSON schemas by @​jnis23 in #​19716
• [docs][minor]: Fix typo in Custom Document Loader doc by @​cbornet in #​20003
• community: Implement Async OpenSearch afrom_texts & afrom_embeddings by @​crispyricepc in #​20009
• community[minor]: Add metadata filtering support for neo4j vector by @​tomasonjo in #​20001
• langchain: enhance LocalFileStore to allow directory/file permissions to be specified by @​chrispy-snps in #​18857
• docs[patch]: Make Docusaurus and Vercel add trailing slashes when navigating by default by @​jacoblee93 in #​20014
• community[minor]: added missed class to all by @​leo-gan in #​19888
• anthropic[minor]: tool use by @​baskaryan in #​20016
• anthropic[patch]: bump core dep by @​baskaryan in #​20019
• Add cookbook for Anthropic .with_structured_output() by @​rlancemartin in #​20017
• anthropic[patch]: fix experimental tests by @​baskaryan in #​20021
• docs: graphs update by @​leo-gan in #​19675
• docs integrations/providers update 10 by @​leo-gan in #​19970
• anthropic[patch]: use anthropic 0.23 by @​baskaryan in #​20022
• anthropic[patch]: Release 0.1.6 by @​baskaryan in #​20026
• docs: integrations/providers/unstructured update by @​leo-gan in #​19892
• docs: mark anthropic tools wrapper as deprecated by @​baskaryan in #​20024
• docs: integrations/providers update 9 by @​leo-gan in #​19941
• Update example cookbook for Anthropic tool use by @​rlancemartin in #​20029
• docs: hide experimental anthropic by @​baskaryan in #​20030
• docs: fixing typo in argument name by @​0ssamaak0 in #​20028
• docs[patch]: Fix Model I/O quickstart by @​jacoblee93 in #​20031
• docs: fix together model tab by @​baskaryan in #​20032
• docs: weaviate docs by @​efriis in #​20042
• Docs: Update custom chat model by @​eyurtsev in #​19967
• docs: fix title cap by @​efriis in #​20048
• core: Implement aformat_messages for ChatMessagePromptTemplate by @​cbornet in #​20038
• core: Add async aformat_document method by @​cbornet in #​20037
• core: Implement aformat_prompt and ainvoke in BasePromptTemplate by @​cbornet in #​20035
• core[patch]: Document BaseCache abstraction in code by @​eyurtsev in #​20046
• langchain-core[minor]: Allow passing local cache to language models by @​liugddx in #​19331
• community[patch]: Improve import callbacks to make it IDE friendly by @​eyurtsev in #​20050
• docs[patch]: Add missing redirects by @​jacoblee93 in #​20076
• cohere: move package to external repo by @​efriis in #​20081
• docs: anthropic tool docstring by @​baskaryan in #​20091
• template: add rag azure search template by @​kristapratico in #​18143
• partners[anthropic]: fix anthropic chat model message type lookup keys by @​maximeperrindev in #​19034
• templates: migrate to langchain_anthropic package to support Claude 3 models by @​donbr in #​19393
• pinecone[patch]: release 0.1.0 by @​efriis in #​20109
• Documentation: Fixed the typo of Discord -> Telegram by @​TAAGECH9 in #​20008
• [core] fix: manually specifying run_id for chat models.invoke() and .ainvoke() by @​hinthornw in #​20082
• postgres[minor]: add postgres checkpoint implementation by @​eyurtsev in #​20025
• postgres[minor]: Add pgvector community as is by @​eyurtsev in #​20096
• community[minor]: Add support for Pebblo cloud_api_key in PebbloSafeLoader by @​rahul-trip in #​19855
• Community: Updating Azure Retriever and Docs to be Azure AI Search instead of Azure Cognitive Search by @​marlenezw in #​19925
• community: Add PHP language parser to document_loaders by @​david02871 in #​19850
• docs: use standard openai params by @​baskaryan in #​20160
• docs: standardize fireworks params by @​baskaryan in #​20162
• mistralai[patch]: standardize model params by @​baskaryan in #​20163
• anthropic[patch]: standardize init args by @​baskaryan in #​20161
• community: extend Predibase integration to support fine-tuned LLM adapters by @​alexsherstinsky in #​19979
• langchain: fix pinecone upsert when async_req is set to False by @​harryhaibojiang in #​19793
• pinecone[patch]: fix core min version by @​efriis in #​20177
• Adding MongoDB Cookbook for Chat history and semantic cache by @​RichmondAlake in #​19998
• community: add request_timeout and max_retries to ChatAnthropic by @​kaijietti in #​19402
• docs: add vertexai to structured output by @​baskaryan in #​20171
• community: cross_encoders flatten namespaces by @​leo-gan in #​20183
• docs: TogetherAI as a drop-in replacement for OpenAI by @​sepiatone in #​19900
• Community: Add support for MLX models (chat & llm) by @​Blaizzy in #​18152
• community: add bedrock anthropic callback for token usage counting by @​Sukitly in #​19864
• Fix pr 19772 by @​3coins in #​20047
• baichuan[patch]: standardize init args by @​liugddx in #​20209
• docs: Fix the class links in openai_tools and openai_functions description in output parser documentations by @​Haris-Ali007 in #​20197
• community[patch]: pass through sql agent kwargs by @​baskaryan in #​19962
• community: Enhance Tencent Cloud VectorDB, langchain: make Tencent Cloud VectorDB self query retrieve compatible by @​jeffkit in #​19651
• GCSDirectoryLoader bugfix by @​timothywong731 in #​20005
• doc:(sharememory&bittensor) Get rid of ZeroShotAgent and use create_react_agent instead by @​liugddx in #​20157
• community: add allow_dangerous_requests for OpenAPI toolkits by @​daviddwlee84 in #​19493
• docs: Add documentation of ElasticsearchStore.BM25RetrievalStrategy by @​g-votte in #​20098
• openai: wrap stream code in context manager blocks by @​snopoke in #​18013
• Remove postgres package by @​eyurtsev in #​20207
• langchain-postgres: Remove remaining README.md file by @​eyurtsev in #​20221
• together: release 0.1.0 by @​efriis in #​20225
• standard-tests: a standard unit and integration test set by @​efriis in #​20182
• core: Implement aformat for FewShotPromptWithTemplates by @​cbornet in #​20039
• core: Implement aformat_messages for _StringImageMessagePromptTemplate by @​cbornet in #​20036
• community: switch to falkordb python client by @​efriis in #​20229
• community[patch]: OpenLLM Async Client Fixes and Timeout Parameter by @​charlod in #​20007
• langchain[patch]: make BooleanOutputParser check words not substrings by @​casperdcl in #​20064
• langchain[patch]: Update unit test by @​eyurtsev in #​20228
• docs: Fix typo in citations example by @​sjnarmstrong in #​20218
• community: fixed multithreading returning List[List[Documents]] instead of List[Documents] by @​chip-davis in #​20230
• core[patch]: Release 0.1.41 by @​baskaryan in #​20233
• community[patch]: Release 0.0.32 by @​baskaryan in #​20236
• langchain[patch]: Release 0.1.15 by @​baskaryan in #​20237
• mistralai[patch]: Release 0.1.1 by @​baskaryan in #​20239
• anthropic[patch]: Release 0.1.7 by @​baskaryan in #​20240

New Contributors

• @​angeligareta made their first contribution in #​19599
• @​zhangch9 made their first contribution in #​16695
• @​mkorpela made their first contribution in #​19707
• @​anilaltuner made their first contribution in #​17098
• @​spike-spiegel-21 made their first contribution in #​19849
• @​JamsheedMistri made their first contribution in #​19787
• @​jokester made their first contribution in #​19926
• @​PenghuiCheng made their first contribution in #​14504
• @​UtkarshaGupte made their first contribution in #​19931
• @​crispyricepc made their first contribution in #​20009
• @​0ssamaak0 made their first contribution in #​20028
• @​donbr made their first contribution in #​19393
• @​TAAGECH9 made their first contribution in #​20008
• @​rahul-trip made their first contribution in #​19855
• @​david02871 made their first contribution in #​19850
• @​harryhaibojiang made their first contribution in #​19793
• @​RichmondAlake made their first contribution in #​19998
• @​Blaizzy made their first contribution in #​18152
• @​Haris-Ali007 made their first contribution in #​20197
• @​jeffkit made their first contribution in #​19651
• @​daviddwlee84 made their first contribution in #​19493
• @​snopoke made their first contribution in #​18013
• @​charlod made their first contribution in #​20007
• @​casperdcl made their first contribution in #​20064
• @​sjnarmstrong made their first contribution in #​20218

Full Changelog: langchain-ai/langchain@v0.1.14...v0.1.15

v0.1.14

Compare Source

What's Changed

• robocorp[patch]: release 0.0.4 by @​efriis in #​19357
• robocorp[patch]: run integration tests on release by @​efriis in #​19358
• experimental[patch]: Release 0.0.55 by @​baskaryan in #​19353
• openai[patch]: release 0.1.0, message id and name support by @​efriis in #​19363
• openai[patch]: fix name param by @​efriis in #​19365
• openai[patch]: fix core min version by @​efriis in #​19366
• feat: update base_url of anthropic by @​enfeng in #​18634
• community:Replace positional argument with text=text for cohere>=5 compatibility by @​billytrend-cohere in #​19407
• core[patch]: allow "placeholder" type in from_messages tuples by @​hinthornw in #​19152
• mistralai[minor]: 0.1.0rc0, remove mistral sdk by @​efriis in #​19420
• core[minor]: Add utility code to create tool examples by @​hwchase17 in #​18602
• [langchain] fix OpenAIAssistantRunnable.create_assistant by @​ccurme in #​19081
• cookbook[patch]: add strip of quotes
  by @​efriis in #​19452
• mistralai: update tool calling by @​ccurme in #​19451
• community[patch]: invoke callback prior to yielding token (llama.cpp) by @​sepiatone in #​19392
• mistralai[patch]: release 0.1.0rc1 by @​efriis in #​19453
• mistralai[patch]: fix core version by @​efriis in #​19454
• docs: delete mistralai embeddings doc from incorrect location by @​sepiatone in #​19432
• langchain_openai: [URGENT REGRESSION FIX] Don't fail if tool message already doesn't contain name by @​ldorigo in #​19435
• openai[patch]: release 0.1.1 by @​efriis in #​19458
• openai[patch]: integration test structured output by @​efriis in #​19459
• openai[patch]: tool use integration test by @​baskaryan in #​19460
• docs: use invoke instead of run by @​raybellwaves in #​19457
• docs: point to titantic dataset on web by @​raybellwaves in #​19455
• community:Modified regular expression by @​igeni in #​19449
• openai[patch]: add test coverage to output by @​efriis in #​19462
• community: RecursiveUrlLoader: add base_url option by @​germankrause in #​19421
• docarray requires hnsw installation by @​lucifertrj in #​19416
• langchain: Add async methods to VectorStoreRetrieverMemory by @​cbornet in #​19408
• makefile api_docs_clean fix by @​leo-gan in #​19405
• docs: moving FireworksEmbeddings documentation to docs folder by @​sepiatone in #​19398
• community[patch]: invoke callback prior to yielding token (fireworks) by @​sepiatone in #​19388
• community[patch]: invoke callback prior to yielding token (openai) by @​sepiatone in #​19389
• docs: Add partition parameter to DashVector by @​wangcailin in #​19385
• community: fix bugs in baiduvectordb as vectorstore by @​fengjial in #​19380
• docs: update import paths and move to lcel for llama.cpp examples by @​sepiatone in #​19391
• docs: update module imports for fireworks documentation by @​sepiatone in #​19377
• docs: fix error bilibili url by @​Undertone0809 in #​19375
• docs: adding voyageai to the list of partner packages by @​sepiatone in #​19376
• mistralai[patch]: streaming tool calls by @​efriis in #​19469
• Remove non-rendering images & output spamming from doc ntbks by @​rlancemartin in #​19475
• Use async memory in Chain when needed by @​cbornet in #​19429
• code[patch]: Add in code documentation to core Runnable pipe and pick methods (docs only) by @​liugddx in #​19395
• community[minor]: S3FileLoader to use expose mode and post_processors arguments of unstructured loader by @​preak95 in #​19270
• Add OpenVINO llms docs by @​OpenVINO-dev-contest in #​19489
• community[minor]: Add DuckDB as a vectorstore by @​Hugoberry in #​18916
• infra: Update package version to apply CVE-related patch by @​JacobLezberg in #​19490
• langchain-community: Dappier chat model integration by @​IgorMunizS in #​19370
• Update docs for HuggingFacePipeline by @​nikhilkmr300 in #​19306
• add kwargs by @​ccurme in #​19519
• langchain: Passthrough batch_size on index()/aindex() calls by @​znwilkins in #​19443
• core[patch]: Use defusedxml in XMLOutputParser by @​eyurtsev in #​19526
• langchain_cohere: add cohere as a partner package by @​billytrend-cohere in #​19049
• core[runnables]: docstring for class runnable, method with_listeners() by @​sepiatone in #​19515
• cohere[patch]: fix release by @​efriis in #​19529
• core[patch]: fix xml output parser transform by @​eyurtsev in #​19530
• partners/openai: increase max batch size for Azure OpenAI Embeddings API by @​orestxherija in #​19532
• docs: Update local llms article to use invoke instead of deprecated call by @​clarkerican in #​19528
• community: More flexible handling for entity names in vector store "HANA Cloud" by @​MartinKolbAtWork in #​19523
• community: Added GigaChat Embeddings support + updated previous GigaChat integration by @​Mikelarg in #​19516
• fixed links by @​lkuligin in #​19503
• docs: Update streaming.ipynb by @​eltociear in [#​19500](https://redirect.github.com/langchain-a

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[dpebot]

/gcbrun